INeedAttention.com

In the early days of Facebook, including an apostrophe or quote in a search string would cause a SQL error. This exposed Facebook to a SQL injection vulnerability, a common hack for dynamic websites driven by SQL databases, usually coded in PHP, frequently the result of a single developer coding the system from the ground up, as Facebook was.

Then when Facebook first implemented a text-to-image converter for pieces of sensitive data, namely email addresses, they failed to properly implement the special value associated with each image, named the “key”. Presumably this was meant as some type of security mechanism to prevent unauthorized requests. Except that although each image was requested with some “key” field when a Facebook profile was loaded, the “key” field really didn’t matter. Hence, it became possible to automatically retrieve email addresses from Facebook profiles provided you could guess a correct user number. This is actually very easy since the numbers are issued generally in numerical order, with different prefixes for different networks – and each network also has a profile for “The Creator“, whether it appears in search or not, whose profile generally ends with zeroes and a trailing 1. Anyway, within a day or two of discovering they were being harvested for data, the site was suddenly rolled back to an old version of code, without the text-to-image generator, and email addresses printed in text yet again. Of course eventually they fixed the “key” field implementation and proceeded with this new feature. However, this too proved to be futile as programs like Facebook Downloader (no longer available) and Profilicious ($7.95) demonstrated that using OCR features of the .NET 2.0 libraries it is possible to extract text from the images which contain email addresses on Facebook.

Since the early days when Facebook information security was virtually non-existent, it has matured quite a bit. Now, the developers at Facebook are so confident in their ability to make Facebook, they’ve unleashed a Facebook API into the world. Now, other applications will be able to interface with the Facebook Platform, and post and retrieve data from Facebook. The API language is a bit like SQL. Knowledge of a scripting language and APIs in general is encouraged for readers interested more in this aspect of Facebook Developer Tools.

Facebook clearly realizes people want to access the massive amounts of data they store — an amount so vast and complex that they command something close to $2 billion if they were to be acquired. But now, hacking Facebook will more often mean something cool built around the Facebook Platform. Also, Facebook figures this makes Myspace look totally 1997. Myspace today resembles many early WWW pages in the sense that many web pages has things like the animated construction worker letting you know things were “under construction” whereas today animated glitter text is used to induce seizures.

Now take this idea and kick it around: with an appropriate API to the data, a program could be created that would synchronize a person’s Facebook friend’s data to a Microsoft Outlook contact list, and then also to an iPod‘s contact list. But facebooking on an iPod seems a bit intense – the information carried over doesn’t have to be that in-depth. It would be most useful (to me, at least) as a way to keep an up-to-date list of friend’s birthdays, phone numbers, and email addresses.

In order to do this, the script would only have to link to the Facebook API, list a person’s friends, and request the data for each of the friends. Then that data can be exported into vCard format or an Outlook CSV and imported to Outlook. Then, since the iTunes contact feature can synchronize with Outlook, the iPod’s data would then be fed from the imported Facebook contacts.

I coded this, basically, but hit a few issues. Most importantly, the Facebook Platform doesn’t let developers access email addresses or phone numbers (weak!). So there goes the most important part of this. But then also, Outlook apparently doesn’t support automatic importing of a contact’s photo, despite that the vCard format natively supports embedded photos. So photos would have to also be manually imported for each contact.

In summary, this won’t happen any time soon through the Developer Platform. However, if you think it would be cool or useful to have your Outlook and iPod contact lists synchronized — with photos of friends, emails, and phone numbers included — drop a line to Facebook and let them know you’d like such an export feature. Also though I did mention Profilicious earlier, using it is both sketchy (since you give your Facebook info to someone else) and is in violation of Facebook TOS (obviously), not to mention it’s $7.95 which is a little bit steep for that service.

As an aside, in closing, a lot of people find this site looking for “hacking Facebook”. Unfortunately or fortunately, depending on how you look at it, lots of other people have that same idea (both hacking Facebook, and Google searching for a step-by-step instruction manual on hacking Facebook). This has the effect of both revealing ways to hack Facebook, and ensuring that Facebook is more aware of threats. Today Facebook takes many more steps to ensure information security than they ever did in the past. But some little tricks are still possible. For example – and, get excited – the new “Facebook Gift” system can actually be used to give “secret” gifts that aren’t publicly available (wow, I know, this is huge).

However, I won’t say exactly how it’s possible, with step-by-step instructions. If you’re interested in hacking around with websites, you might want to download Web Developer Tools for Firefox (assuming you already have Firefox, and if you don’t, you should get it). I don’t know if every webmaster, web developer, or hacker has the same feeling as I do, but for me using Developer Tools for Firefox can be like giving web servers LSD. Anyway, all I’ll say about the gifts is, here’s how I got to the Gift Shop — it might not be the same way you get there.

http://www.facebook.com/giftshop.php?ref=0-0-1-1b&page=1

Update: Facebook developers contacted me about this and have since fixed the trick illustrated above. Try similar hacks on other sites for interesting results!