I started playing with this new api today. My room mate and I spent an hour with various privacy settings and it does not appear there is any way to prevent your account from being accessed via this.
That is because the info that is available at http://graph.facebook.com/name is <= the info that is available at http://facebook.com/name . What part of your account are you trying to stop from being accessed? This makes no sense.
My “graph” link is public, but my “public page” link is not. It might be because I don’t allow my profile to appear in public searches (non logged in), but still they made it visible to anyone in the graph API. I hope they add a privacy setting to change this.
I don't like the fact that Facebook makes any of my data available and doesn't provide me options to make it private at will. I have my privacy settings turned all the way up for everything. Perhaps I, and others, simply would like to not have any of our data available in this manner.
I'm not seeing an issue here though -- that profile information was readily available in html (if you have a facebook cookie) and is now even more accessible via json.
In fact, the json api gives out less information than the html frontend (e.g. all 18 pages you currently follow).
Like he said, the discrepancy is when you are not logged in. I can see his info and his private profile pic although I don't even have a facebook account and the html version gives me a 404.
So you're able to get someone's facebook id and name? How useful is that? It seems about as useful as scraping web pages for random names & numbers. Might as well go to classmates.com and get a list of names there.
So bots get some non-standard file for robots.txt.
Guess no one at facebook has noticed the vulnerability exposed with pretty usernames on facebook & ignoring "." in a different framework. (probably just following gmail usernames.)
43 comments
[ 3.2 ms ] story [ 109 ms ] threadhttp://graph.facebook.com/robot.stxt http://graph.facebook.com/r.o.b.o.t.s.t.x.t
This guy's actual short-URL is "robotstxt."
hxxp://graph.facebook.com/-----r.-o....b....o-t-s-t....x....t----....///////////___%%20%22/test/robots
will still output the same result as http://graph.facebook.com/robotstxt
http://graph.facebook.com/sitemap.xml
[edit: added another one]
If you're not logged in, my URL returns a 404: http://www.facebook.com/davetufts (or by ID: http://www.facebook.com/profile.php?id=603069147 )
Not a huge deal, because the graph page only shows my name and ID, but they are publicly accessible: http://graph.facebook.com/davetufts or http://graph.facebook.com/603069147
I'm not seeing a discrepancy here?
In fact, the json api gives out less information than the html frontend (e.g. all 18 pages you currently follow).
I'm not entirely sure about what you could do with this data, but it's there, for anyone to see.
you can set the userid as parameter and you get Mark Zuckerbergs Profile here : http://graph.facebook.com/4
Then you can simple count up to infinite to get the other profiles. The API has a Usage limit and blocks after a while
http://developers.facebook.com/docs/api
Guess no one at facebook has noticed the vulnerability exposed with pretty usernames on facebook & ignoring "." in a different framework. (probably just following gmail usernames.)
{ "error": { "type": "QueryParseException", "message": "Some of the aliases you requested do not exist: laden" } }