Facebook - Fails in privacy once again

2 points

15 years ago

Over the last week I've been working on a project that uses Facebook API, and here's what I noticed. If you blocked somebody, or setup your privacy settings so that your don't appear in Facebook search, or have your profile photo hidden from the search, then you are not completely protected.

(1) Using the Graph API everyone can go to http://graph.facebook.com/#{user_id} and find the basic information about each person on facebook.

(2) Then, using the same API you can gain access to that user's profile photo, regardless of their settings: http://graph.facebook.com/#{user_id}/picture?type=large

What does that mean?

Although time consuming, technically anyone could iterate through the list of all Facebook users and then by comparing names to the photos, search for targeted users' IDs. Can the bad guys do anything with those IDs once acquired? Let's hope not, but I wouldn't want to find out.