With the recent news fresh on everyone’s mind about Cambridge Analytica, Facebook has come under fire for earlier bugs in their system. If a third party app was installed into your Facebook account, that app had access to all of your friends as well.
There’s not much you can do with a name alone, but if there was a room full of people actively parsing OSINT for names, you’d find much more interesting data.
So today, i will demonstrate what Facebook did previously, how they fixed the issue, and other ways the Facebook API could be abused.
Facebook API Explorer
There is a tool Facebook developed, called the “Explorer”, which is a simple way to manually make http requests.
The Explorer lives here: https://developers.facebook.com/tools/explorer/
The tool allows you access to data on Facebook that otherwise isn’t seen. For example, if you wanted to put your friend’s profile id into the explorer, you can see over 100 different types of data about your friend. The data types range from age, location, occupation, groups, interests, and every other piece of data Facebook allows you to fill out, is accessible through the API.
When you develop a Facebook “App”, and you prompt the user with a permission screen, you used to be able to check “allow_friends_information”, or something of that nature. This permission would enable the app to access the users friends list. The exponential growth potential wasn’t infinite, but grounds for massive gains were set, with the Cambridge Analytica apps.
And even more recently, a public Facebook page like Washington Post, could be mined. For example, if Washington Post posted a story onto Facebook that had 100 likes, you could get basic information on each person who liked the post. So based on who liked what story, you could start to map names to political ideology, and deliver targeted ads at those people.
Here’s what the “posts API endpoint” looks like for the Washington Post Facebook Page.
Before, you would be able to access the people who liked a story, in list format like below.
Now, they made that information inaccessible. Look at this Stackoverflow excerpt showing a exact reversal of this feature. Note the label “Original Answer” and “Update”.
This shows how at one point, this information was accessible, and then it wasnt.
The answer went from “Yes, this is totally possible” to “it’s no longer possible”.
So Facebook has clearly tightened lots of loop holes, but still, lots of information is available, and accessible through the Facebook API explorer. As a matter of fact, here’s a whole book dedicated to data mining API’s of not only Facebook…but Twitter, Reddit, and many more. If you are more interested in learning about how you can harness the power of data analytics, click the book below, and you will probably become within the top 10% in the field, if you read every page, and understand every concept.