Data Hacking With Facebook Explorer

Social Media Tree

With the recent news fresh on everyone’s mind about Cambridge Analytica, Facebook has come under fire for earlier bugs in their system. If a third party app was installed into your Facebook account, that app had access to all of your friends as well.

There’s not much you can do with a name alone, but if there was a room full of people actively parsing OSINT for names, you’d find much more interesting data.

So today, i will demonstrate what Facebook did previously, how they fixed the issue, and other ways the Facebook API could be abused.

Facebook API Explorer

There is a tool Facebook developed, called the “Explorer”, which is a simple way to manually make http requests.

The Explorer lives here:

The tool allows you access to data on Facebook that otherwise isn’t seen. For example, if you wanted to put your friend’s profile id into the explorer, you can see over 100 different types of data about your friend. The data types range from age, location, occupation, groups, interests, and every other piece of data Facebook allows you to fill out, is accessible through the API.

Loose Permissions

When you develop a Facebook “App”, and you prompt the user with a permission screen, you used to be able to check “allow_friends_information”, or something of that nature. This permission would enable the app to access the users friends list. The exponential growth potential wasn’t infinite, but grounds for massive gains were set, with the Cambridge Analytica apps.

Recent Findings

And even more recently, a public Facebook page like Washington Post, could be mined. For example, if Washington Post posted a story onto Facebook that had 100 likes, you could get basic information on each person who liked the post. So based on who liked what story, you could start to map names to political ideology, and deliver targeted ads at those people.

Here’s what the “posts API endpoint” looks like for the Washington Post Facebook Page.

Washington Post Facebook Feed
Washington Posts Facebook Post Feed

Before, you would be able to access the people who liked a story, in list format like below.

Facebook API
List cut off for privacy reasons

Now, they made that information inaccessible. Look at this Stackoverflow excerpt showing a exact reversal of this feature. Note the label “Original Answer” and “Update”. Stackoverflow Screenshot

This shows how at one point, this information was accessible, and then it wasnt.

The answer went from “Yes, this is totally possible” to “it’s no longer possible”.

In conclusion

So Facebook has clearly tightened lots of loop holes, but still, lots of information is available, and accessible through the  Facebook API explorer. As a matter of fact, here’s a whole book dedicated to data mining API’s of not only Facebook…but Twitter, Reddit, and many more. If you are more interested in learning about how you can harness the power of data analytics, click the book below, and you will probably become within the top 10% in the field, if you read every page, and understand every concept.

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *