The Tip of the Facebook Exploit Iceberg


Who's Byron Ng ? A total tool, that's who. He's the one who ran a few Google searches and tipped off the Associated Press about a Facebook exploit that's been passing around the 'net for months now. The AP picked up the story and put it in every newspaper under the sun, making him a minor campus celebrity who's now forever disinvited to Facebook Club . It also tippped off Facebook to what was going on, and the company was quick to plug the exploit.

Thanks a lot, man.

But for all the press I've been seeing about this crazy hack that's destroying the privacy of millions --by letting everyone in the world peer into the secret debauchery of important facebook users like Paris Hilton--I haven't seen a single news story that actually tells you what happened. Or how to even go about "exploiting" Facebook's security issues. For starters, the trick was a lot easier than you might think, requiring very little effort on the "hacking" end of things and a decent amount of know-how on the "ingenuity" side of the equation.

The Setup

First, you had to find the ID number of your target. Facebook assigns each user an individual ID number, perhaps a mistake on the service's part. When you're viewing your own profile, this is the huge string of numerals that comes after the "profile.php?id=" part of the URL. Same deal when you're viewing a friend's profile.

So how, then, do you acquire the ID number of a person who isn't your friend? If they haven't privacy-blocked your ability to see their profile, it's as easy as looking them up using a simple Facebook search and clicking through to the profile. Check the URL, and you'll find the ID number.

If your target has privacy-locked their page, the situation gets a little more complicated. In Paris Hilton's case, she's made it so you can only send her a message if you aren't her friend. But in that, you can pull the ID number. Check out the URL Facebook generates for Ms. Hilton's "send message" link. I'll underline her ID number:,hilton&fc=0&gc=3613
&cl=300&rc=4073&rank=4&friends=0&sns=0&k=400000000010&t=1&u= 1118869250 &k=400000000010

See? As long as Facebook allows you to interact with a person in some capacity, you can pull their ID number. This even works for people who have blocked you off the service, just as long as you've retained some level of correspondence--say, a Facebook message (use Facebook's Report Message link to pull the ID on this one).

Keep this little trick in mind, because when the next Facebook exploit hits, it'll surely make use of the service's ID numbers as the basis for the hack. In fact, you can already use ID numbers on Facebook applications to see things you shouldn't--for example, any Free Gifts (and accompanying messages) a person has sent to or received from anyone else using the application, regardless if you're friends (or blocking) the original target. Use one of these URLs: [[ID NUMBER]] [[ID NUMBER]]

The Hammer

Once you had the Facebook ID number, the exploit itself was easy enough to navigate. Facebook used to delineate the URLs for photographs as such: [[THE PICTURE'S ID]]

The bracketed portions are the parts that change depending on what you're looking at. The Picture ID is the number Facebook assigns, sequentially, to images uploaded to its service. The subj= ID number is, as the description suggests, the ID number of a person tagged in the particular photo. And the ID number of the album's owner, well... we'll just leave it at that.

Normally, when you click on a "show me more pictures from x" user link, it would look like this: the picture ID would be unique, the subj= part would be the person's ID, and the ID number of the album's owner would populate that field. The Facebook exploit worked as follows: you'd start by entering a random nine-digit number for the picture ID section. You'd use your target's ID number for the "someone tagged in the photo" part, and reuse that same ID for the album's owner section.

This little trick never got you results on the first shot, but that's ok; the point of the URL manipulation was to acquire a correct photo ID. In this case, Facebook would return you an error message saying that the page could not be found, but it would also autocorrect the pid= part to reflect the photograph the target was last tagged in. From there, you'd take the given URL and delete the entire &id= portion, leaving just &subj=####### as the end of the URL. Hit enter, and voila! Instant access to the last photograph the target was tagged in, and access to the entire album of pictures from which that one image resides, whether you're the friend of the individual who created it or not.

An error? Hardly. Seeing this screen meant you were but one step away from private pictures galore!

A similar trick worked to access the last photo the target tagged of him/herself. These tricks didn't exactly break the dam of Facebook privacy, but it did give industrious users--and stalkers--a means to check up on what anyone's doing at any time, only dependant on one's tenacity and zest for URL refreshing. But thanks to Byron, who clearly felt the need to let the world that He and He alone found this industrious exploit, we will no longer be able to catch up on what our favorite internet celebrities are up to. Sigh.

You, sir, owe the Web 2.0 an apology.


We've done some more research and found a few more facebook exploits! Hi to all the Digg users who are keeping up with this!

I just sent Paris Hilton a beer.

Anonymously, of course. We're not even friends. I can't see her profile. But the hotel heiress now has a Guinness courtesy of yours truly, just one more example of how certain Facebook applications can be broken with a little ingenuity. Sending Free Gifts to anyone using the application is a fun way to screw with your friends, but it's only the tip of the exploit iceberg that Facebook's applications have opened up. Here's how it works:

First, you need to grab a fun little Firefox extension called Firebug . It opens up web pages to tweaking in a variety of fun, form-intensive methods. Install the Free Gifts application on Facebook and surf on over to the sending page . Select a gift, click Anonymous, and enter the name of one of your friends in the To: field. In two separate windows, surf to Facebook yet again and pull up your friend's profile, as well as some means for finding your target's ID number (as detailed earlier). Remember your friend's Facebook ID number, and surf on back to the Free Gifts sending page.

Right-click on the Send Gift button and click Inspect Element. Then click on the Dom tab at the top of Firebug's little window. Scroll down--you're looking for the To: field. When you find it, you'll see an number. Guess what? That's the Facebook ID number of the person you entered in the To: field! Click on the number and Firebug will open up a large list of other options. Scroll down until you've found the "Value" field--it should be right below the "Type: Hidden" option. Double-click on the ID number and enter the target's Facebook ID in quotes. Hit Enter, then turn your attention to the Free Gifts sending page and hit Send Gift. Blam. One anonymous gift to someone who isn't your friend / has blocked you / whatever.

You'll go blind trying to find it, but your key to Free Gift sending is that little To field that pushes out your recipient's Facebook ID. Replace it with a new target and fire away!

That's just the tip of the iceberg, as I mentioned earlier. The Consumerist has a nice little write-up on other potential exploits, including one that allows you to set the Mood of your friends for them! That said, 2600 ran this information in their Winter Issue, so check that out for even more details! Or just surf on over to one of the original sources of the exploits, the defunct Facebook Application Smashing blog.

While Facebook itself--the service's core functions--are relatively exploit-free, mark my words: these applications will open up a world of open doors for industrious Facebook tricksters. We'll update as we find more fun things to do!

Around the web