Application security

Exploring the Facebook API

By Mark Baggett
The Ethical Hacker Challenges are always a lot of fun. They are usually wrapped in a creative and entertaining movie theme (as if hacking something wasn’t entertaining enough) and always present an interesting technical challenge. I always learn something new with each new challenge.
Over the Christmas break I took some time to explore the Facebook API for the Miracle on Thirty-Hack Street Challenge. Here is some of what I learned about the Facebook API. First, lets get an API key.
Obtaining an API key
To develop applications for Facebook you’ll need a API Key. Getting an API key is very easy and only takes about 2 minutes. To obtain your key you need to add the “Developers” application to your facebook account. You can do this by logging in with your Facebook account at the url http://www.facebook.com/developers/. From there you create an application by clicking “Set up New Application”, picking an application name and agreeing to the terms of use. You are then assigned an API key and a Secret key. If you are developing with an offline script such as python or perl then under your application’s “Advanced Settings” set your application up as a “Desktop” application. Then, armed with your API and Secret key, you are ready to get started.
Start Coding
While there are various options available I really only want the ability to query facebook data using FQL. FQL or “Facebook Query Language” is a very SQL like query language that allows you to extract data from Facebook. Perl’s WWW::Facebook::FQL libraries are pretty simple to use and should provide the functionality I need. After installing the require perl modules I threw together a small perl script that allows me to do FQL queries from the command line.
To use this script you’ll need to plug in your own API Key, Secret, Username and Password. The username and password that you provide in the script will be used to do the data mining and determines what access you have to the target’s data. Here is my very simple script:
use WWW::Facebook::FQL;
## Connect and log in:
## Key is the Application Key obtained from your facebook profile by adding the “DEVELOPER” app and creating an application.
## Private is the “Secret” from that same application
my $fb = new WWW::Facebook::FQL key => ‘API KEY HERE’, private => ‘API SECRET KEY HERE’;
## This is the account we will use to do the data mining. The more connections you have to the target (Friend, Friend of Friend, Networks, etc) the more information you will have access to.
$fb->login(‘facebook login name’, ‘facebook password’);
#if User passed XML or JSON (or garbage) as the 2nd parameter set the format type to that
if ($ARGV[1]) {$fb->format = $ARGV[1]};
## Do a query and print the results:
print $fb->query($ARGV[0]);
## Release session
$fb->logout;

Using this script we can execute FQL queries from the command line like this:
[email protected]:~$ perl fql.pl “Select name from user where uid= “target facebook ID #”
This will return an XML response containing the users NAME for the targeted Facebook ID #. You can determine a targets Facebook ID # by looking at the web interface and simply hovering over a wall post or a picture. If the URL is something like this…. http://www.facebook.com/profile.php?id=11223344556677 then their ID would be 11223344556677. Since we can issue FQL commands from the command line we can do a little more advanced stuff like download all the users photos with a single command:
[email protected]:~$ for i in `perl fql.pl “Select src_big from photo where aid IN (SELECT aid FROM album WHERE owner=facebookID#)”| grep “src_big” | cut -d “>” -f2 | cut -d “<" -f1`; do curl -C - -O "$i"; done Or display all data available on the account in the user table like this... [email protected]:~$ perl fql.pl "select uid, first_name, last_name, name, pic_small, pic_big , pic_square, pic, affiliations, profile_update_time, timezone, religion, birthday, birthday_date, sex, hometown_location, relationship_status, significant_other_id, political, current_location, interests, is_app_user, music, tv, books, about_me, education_history, work_history, notes_count , wall_count, status, is_app_user, online_presence, locale, proxied_email, profile_url, pic_small_with_logo, allowed_restrictions, profile_blurb, family from user where uid="facebookID#" Or dump all photo albums... [email protected]:~$ perl fql.pl "select aid, owner, cover_pid, name, created, modified, description, location, size, link, visible, modified_major, edit_link, type, object_id from album where owner=facebookID#" Or if for some reason we needed to extract the notes fields from an account and try every word in the notes as a password to a PGP encrypted PDF we could do something like this... [email protected]:~$ for i in `perl fql.pl "Select content from note where uid= 100000565751882"`; do echo "$i" | gpg --passphrase-fd 0 --decrypt JudgeHenryLetter.pdf.gpg && echo "$i is the password" ; done (If you missed it, that one line solves the Christmas Ethical Hackers Challenge) A full list of all the Facebook tables and fields is available here.
Now, you can not simply use this to pull any data you want from a Facebook account. The information returned depends upon the permission granted by the user to the account used in your script. Users who share information with “EVERYONE” allow you to use this script and retrieve all their data. Granting access to “EVERYONE” is most often the default for data posted to Facebook accounts so the script will most likely returns pretty good results. Users may have changed the defaults and only granted access to “Friends” or “Friend of a Friend”. In those cases, you would need to have the target OR the friend of the target to accept your friend request. The Facebook API will return the data based upon the permissions of the data element itself and not the data element’s container object. So, if a user restricts access to the “NOTES” tab in Facebook to “ONLY FRIENDS” but a notes entry is set to allow access to “EVERYONE” then the note will NOT be accessible through the Web Interface, but it will be accessible via the API. Also, in some circumstances anonymous unauthenticated users can access photo’s from a users account even when the photo object has permissions set to “Only Friends”. More on that to come later. Of course, none of this should be used to violate anyones privacy or in violation of Facebook’s terms of use.
Thanks to Ed and Kevin for all their work putting together the challenge. I always learn something new with every Ethical Hacker Challenge. Congratulations to all the other winners and honorable mentions. It looks like several people did some really awesome work and I don’t envy Ed and Kevin’s job in sorting through all the entries to choose a winner. But, I do appreciate the choice they made. :)
Eugenio Delfa made this AWESOME video and wrote some great Python scripts to do Facebook extracts. I found a copy of his scripts here. His scripts are great and I will probably use them rather than my own in the future.
JOIN MARK BAGGETT FOR SANS 504 IN RALEIGH NC JUNE 21-26 CLICK HERE TO SIGN UP

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.