Posted by theharmonyguy in Facebook | 10 comments
Exporting Your Facebook Feed
The blogosphere has often bemoaned the fact that Facebook provides no RSS feed or similar mechanism for accessing a user’s news feed or mini-feed (now combined with wall posts) outside of Facebook. Other feeds, such as the status updates of friends, are available in RSS via tokenized URLs. Many lifestreaming applications would certainly benefit from access to a user’s actual activity feed instead.
However, such access is not impossible. In browsing the code for the new Facebook layout, I noticed how much AJAX was used in handling the display of feed items on a user’s profile. A bit of analysis revealed that all of the feed items visible on the profile are available via AJAX. By posting the proper variables to a particular URL, you can get the feed items as HTML embedded within some JSON. I’m quite certain that a regex ninja could parse the results into a usable format.
So what’s the catch? Facebook protects against CSRF attacks by adding to forms a variable called “post_form_id” that contains a special hex string. That variable is required to pull off the aforementioned AJAX requests. A simple check of the source code on nearly any Facebook page will allow a user to find his or her current post_form_id (I say “current” without being certain how often it changes – I do know my current one has persisted across the last two sessions).
Now, post_form_id serves an extremely important purpose, and if a non-Facebook page could automatically access it, CSRF attacks would likely be quite simple. Still, I can imagine knowledgable geeks making use of this AJAX hack, if for nothing else than proof-of-concept tools.
To get a quick feel for how this works, check out a simple test page I whipped up. You’ll need your Facebook ID and your current post_form_id, and the page will forward you to either your entire recent feed or recent items posted by you.
By the way, an extra variable called max_time allows one to access past feed items as well. Another AJAX page (http://www.new.facebook.com/ajax/feed.php) gives access to the main news feed, though the format is quite different and I haven’t yet taken the time to explore it much. I do know it includes a time control as well.
Hopefully these tricks will let other developers build some interesting projects. All of the necessary URLs and applicable variables can be found buried in Facebook’s code, but I find the simplest way to discover them is to boot up Wireshark and take note of HTTP POSTs as you click various feed-related links.
Addendum (August 15): Take note that Facebook does check your cookies on these AJAX requests, so you do have to be logged in for the tricks to work. And my post_form_id has changed since I originally posted.
Keep Reading »Posted by theharmonyguy in Facebook, General | No comments
Interesting Take on Facebook Connect
As someone who’s setup many different varieties of OpenID servers (with varying degrees of success) in a so-far fruitless effort to get Attribute Exchange working for a proof-of-concept data portability project, I found this statement from Identity 2.0 very intriguing:
OpenID may be the desktop Linux to Facebook’s Windows. A geeky solution for the rebels.
The article is well worth a read for anyone interested in this space. I too hope to see a good decentralized solution emerge for identity management (that was a mouthful), but right now Facebook Connect definitely has the usability edge. Personally, I’ve gotten a little jaded by OpenID – I’ve seen far more talk than results. Perhaps the Open Web Foundation will help spur things along… though I’m not competely optimistic.
Keep Reading »Posted by theharmonyguy in Facebook | No comments
Pieces of Flair on Facebook
In my personal opinion, Pieces of Flair is one of the best designed Facebook applications. I say this for a variety of reasons, one being that it does a good job of catering to both giggly and serious users.
But I did discover today that I can view any user’s flair, regardless of whether they choose to show it on their profile. Not an earth-shattering revelation, but another demonstration of application privacy issues.
Keep Reading »Posted by theharmonyguy in Facebook | 3 comments
Social Me Still Too Social
Social Me is another Facebook application that was recently banned, then more recently reinstated. I’m not sure exactly why they were banned to start with, but they ought to know their application still has a gaping security hole. I hadn’t experimented with Social Me much before, but when I saw they were back online I thought I would check for any remaining issues.
I noticed some suspicious aspects in the application’s code fairly quickly, and after an hour or two of tinkering, I successfully found a way to send messages on behalf of any user. I am able to send a message to anyone and make it appear to be from anyone else. This also includes sending flirts, slaps, “interested in you” notes, etc. – pretty much any of the means of communication Social Me offers. (The trick also makes it quite easy to drive up one’s “score.”)
The “hack” involved is unbelievably simple, because the AJAX interface for Social Me is totally unsecured. And it’s not even a POST request – I just enter a certain URL in my browser with a few query strings modified accordingly. The server does nothing to validate who is making the request. It reminds me of my original Emote hack.
Proof offered on demand – send me your Facebook ID, the Facebook ID of someone you can check with, and a test message. And developers, take heed – basic coding practices can prevent this kind of problem.
Update (July 17): Well that was quick. After a commenter requested a demonstration message, I found the hack had stopped working. Checking the code for Social Me I discovered that the developers have now added an MD5 hash to their AJAX requests as a means of authentication. Kudos to them for patching the hole so quickly.
Keep Reading »Posted by theharmonyguy in General | 1 comment
Bright Spot in the New Facebook Profile
If you haven’t heard, Facebook is getting ready to launch a major overhaul of its profile pages. Many have discussed the advantages and disadvantages of the new design (and I’ve contacted Facebook about a problem with the feed layout), but I wanted to give a few kudos to Zuckerberg & Co. for at least one aspect of the new design.
If you’ve seen my comments on other blogs, you probably know that I’m not happy with the JavaScript+IFrame approach of many OpenSocial applications. (Yes, I know about the REST API – but look at Friend Connect, the majority of current apps, etc.) When I first hit View Source on the new Facebook page, I was sorely disappointed to see almost no content and tons of script.
But then I disabled JavaScript, and to my delight, discovered that I could use the new profile just fine, thanks to its developers using the magic of progressive enhancement. I may take issue with Facebook on a number of issues, both in terms of code practices and otherwise, but I’m at least glad to see them paying attention to an important (in my opinion) accessibility issue.
Now if they could just do something about memory leaks with Facebook Chat…
Keep Reading »