tmacuk

Last week after watching the keynote speech by Mark Zuckerberg I have been really interested in new concepts in to abusing the Facebook API.

My interest in the API all started at the beginning of TRACsec when Arron Finnon did a tech segment on this very subject. I was astounded by what you could do with an application that Facebook themselves have created and it drew me into writing a report for University on the subject. A report that if you wish to read leave me a comment.

So these new changes, what have then added? Well first of all everything is becoming more “open” (excuse the pun). Open Graph has been released and has made the API abuse a lot easier. By simply typing in http://graph.facebook.com/(username or ID) you can get information on that account. You can then add directories onto the end of this, so for example ??http://graph.facebook.com/(username or ID)/friends and if they have the right privacy setting/if you have an API key you can start enumerating peoples friends etc – there are a bunch of other calls you that you can do too, just search google for them, they are there.

One thing that Facebook had when I first started messing about with the API was the rule that you couldn’t hold any information for more than 24 hours. Well this rule has been dropped. So officially, although there is probably some extra rule against this, you can get information on people using the API and then store that information for future use. “What would you want to use the information for” a lot of people say to me, or “so what you can get my name”. What some people don’t know is that I used to work in sales at CPP in York. Here I was one of the top agents selling identity theft protection insurance and if I had know about this back then I would have used these techniques to tell my customers about what criminals can do to gather information.

Along with Open Graph you also have all the compatibilities with other websites across the internet. Imagine your personal Facebook page is interacting with countless websites maybe even without you knowing if you save your credentials in the browser. For example if you have you Facebook page open to the Open Graph and new features you could be sending out your personal details and friends etc. to this webpage.

Do you want to see what information you are giving out through Facebook – take a look here – http://zesty.ca/facebook/

Scary isn’t it? I must admit that most of what I have said here is not very technical but is coming from the eyes of someone who likes to have their privacy online. For a more technical insight into Facebook take a look here http://theharmonyguy.com/

Cheers,

Thomas Mackenzie