43 comments

[ 3.2 ms ] story [ 109 ms ] thread
It appears you can put a period anywhere within the ID after the initial "/" and it works:

http://graph.facebook.com/robot.stxt http://graph.facebook.com/r.o.b.o.t.s.t.x.t

This guy's actual short-URL is "robotstxt."

(comment deleted)
It's not just periods. They're filtering out certain characters [.,-]

hxxp://graph.facebook.com/-----r.-o....b....o-t-s-t....x....t----....///////////___%%20%22/test/robots

will still output the same result as http://graph.facebook.com/robotstxt

This is the sort of thing that leads to exploits.
(comment deleted)
I started playing with this new api today. My room mate and I spent an hour with various privacy settings and it does not appear there is any way to prevent your account from being accessed via this.
That is because the info that is available at http://graph.facebook.com/name is <= the info that is available at http://facebook.com/name . What part of your account are you trying to stop from being accessed? This makes no sense.
My “graph” link is public, but my “public page” link is not. It might be because I don’t allow my profile to appear in public searches (non logged in), but still they made it visible to anyone in the graph API. I hope they add a privacy setting to change this.
I don't like the fact that Facebook makes any of my data available and doesn't provide me options to make it private at will. I have my privacy settings turned all the way up for everything. Perhaps I, and others, simply would like to not have any of our data available in this manner.
I set my profile to private. I turned off "Public Search Results" and "Facebook Search Results" is set to "Only Friends".

If you're not logged in, my URL returns a 404: http://www.facebook.com/davetufts (or by ID: http://www.facebook.com/profile.php?id=603069147 )

Not a huge deal, because the graph page only shows my name and ID, but they are publicly accessible: http://graph.facebook.com/davetufts or http://graph.facebook.com/603069147

Appending /picture?type=large to your graph page works, too. Uh, oh...
(comment deleted)
I can see the following as a logged-in facebook user, which is identical to what the graph api returns: http://imgur.com/8y8hf.png

I'm not seeing a discrepancy here?

Like I said, the discrepancy is if you're NOT logged in.
I'm not seeing an issue here though -- that profile information was readily available in html (if you have a facebook cookie) and is now even more accessible via json.

In fact, the json api gives out less information than the html frontend (e.g. all 18 pages you currently follow).

Like he said, the discrepancy is when you are not logged in. I can see his info and his private profile pic although I don't even have a facebook account and the html version gives me a 404.
It's not a big deal, anyone could make a throwaway FB account and see the same data. The difference is almost immeasurable.
You don't think its a big deal that I can crawl FB to capture the names and pictures of people, regardless of their privacy settings?
So you're able to get someone's facebook id and name? How useful is that? It seems about as useful as scraping web pages for random names & numbers. Might as well go to classmates.com and get a list of names there.
name, id, AND full size profile picture
What's interesting is that you can put the id in the url and get their data (example: http://graph.facebook.com/677195182).

I'm not entirely sure about what you could do with this data, but it's there, for anyone to see.

so your name will be published out to the web?

you can set the userid as parameter and you get Mark Zuckerbergs Profile here : http://graph.facebook.com/4

Then you can simple count up to infinite to get the other profiles. The API has a Usage limit and blocks after a while

Anyone knows why they are skipping IDs? Why didn't he pick id=1?
Perhaps those were just tests, and databases use incremental index but don't care if you delete a record.
Winklevoss, Winklevoss, and Narendra? :)
(comment deleted)
It will be interested if anyone ever does a dump of all the data availible
I just realized that if you supply an access token you have access to even more information for record.
Seems that its only more info based on your account. Unless Im missing something.
So bots get some non-standard file for robots.txt.

Guess no one at facebook has noticed the vulnerability exposed with pretty usernames on facebook & ignoring "." in a different framework. (probably just following gmail usernames.)