Here are answers to some common questions about the
Facebook API Browser. For details on the exposure of users' event lists, which appears to now have been fixed, see a
previous post.
About the Facebook Graph API and the Facebook API Browser
What is the Facebook Graph API?
It's a new service provided by Facebook that lets computer programs get information from Facebook.
What kind of information does the Facebook Graph API provide?
Please see
Facebook's developer documentation, which describes all the different kinds of requests that the API will answer.
What is the Facebook API Browser?
The Facebook API Browser is a tool to let you ask the Facebook Graph API for information and see the replies. This tool was created by me, not by Facebook.
Is it designed to exploit vulnerabilities in the Facebook Graph API?
No. The Facebook API Browser makes normal requests to the Facebook Graph API, exactly as recommended and documented on
Facebook's developer website.
Why did you create it?
I'm a Facebook user. When I heard about the new API, I was curious to know what information it exposes about me. I realized that there wasn't an easy way for users of the regular Facebook website to see what the API publishes about them, and that other users might also want to know that too.
Did Google ask you to do this?
No. I work at Google, but this has nothing to do with my work for them.
Using the Facebook API Browser
How do I use it?
There are two boxes you can type into, similar to the two boxes in most web browsers, and the reply from the Facebook server is shown below them.
The box on the left is a location box; it shows what was just requested. The box on the right is a search box.
In the location box, you can enter any Facebook ID. Everything on Facebook has a numeric ID - every user, every page, every group, and so on. For example, Mark Zuckerberg's ID is 4, and The Church of the Flying Spaghetti Monster has an ID of 9835354795. In addition, users can also have aliases - for example, Mark Zuckerberg's alias is "zuck", so if you enter "zuck", it will be just as though you entered "4".
In the search box, you can enter any keywords, including names or e-mail addresses. When you point at the "Find" button, you'll get a selection of buttons that you can choose to search for users, posts, events, groups, or pages. Each kind of search can turn up different results.
Who can see the information that it shows me?
Anyone. The Facebook API Browser does not use your password or identity or any special privileges to get the information that it shows you. So, anything you see in the results is available to the public through the Facebook Graph API.
What's the difference between the blue and red links?
The replies from the Facebook server contain links that you can click to explore further. The blue links point to regular web pages, on Facebook and elsewhere. The red links make further API requests, and will load up more information in the Facebook API Browser. Just like the Back and Forward buttons in your regular web browser, the ◀ and ▶ buttons to the left of the location box will step back and forward in the history of API replies that you've viewed.
If I see "(empty)", does that mean my information is private?
It means that the Facebook Graph API has nothing to show to an unconnected member of the public. However, Facebook users that are friends with you, friends of your friends, or in the same network as you, as well as Facebook applications that you use or websites that you have authorized, may have access to more of your Facebook information than you see in the Facebook API Browser. Also, there are other ways, aside from the Facebook Graph API, to obtain information about your Facebook account - for example, other users can see your list of friends on the website, even though your friends list is not available through this API.
If I see "error", does that mean my information is private?
There are few different kinds of errors you might see:
"Some of the aliases you requested do not exist"
The text entered in the location box isn't a Facebook ID or user alias.
"Invalid OAuth access token" or "Error processing access token"
Try reloading the Facebook API Browser.
"Can't lookup all friends" or "You can only access ... for the current user"
The Facebook API is not allowing you to see the information.
Remember that just because the API hides information from an unconnected member of the public, that doesn't mean it hides the information from your friends or applications. And even if the API hides a particular kind of information, there might still be some other way to get it.
How it works
Do you log requests to the Facebook API Browser?
When you load the page, your browser requests the page from my web server, and that request is logged. But after that, whatever you enter in the location box or search box is not logged by my server. In fact, it never reaches my server; the API requests go directly from your browser to Facebook.
Does your server see the information that is displayed to me?
No. That information is coming directly from Facebook to your browser. The Facebook API Browser is a JavaScript program; it runs in your browser and communicates only with Facebook, not with my server.
How do you know that the information it shows is available to anyone?
Most requests to the Facebook Graph API require an access token, which corresponds to a Facebook user and allows a program to act with the privileges of that user. For the Facebook API Browser, I created a dummy Facebook account that has no friends and no connections to anything. The Facebook API Browser then uses an access token representing this user to ask for information.
Can I see the source code?
Certainly! Just look at the source of the
page. It's all there, and it's open source under the GNU General Public License.
About the exposure of Facebook events
What's this I heard about Facebook publishing my events?
The Facebook API Browser went up on Friday, April 23, and people started playing with it. Shortly thereafter, a few people discovered that clicking the /events link on a user profile sometimes exposed a list of events that the user was attending. Clicking on these events would then reveal the location and sometimes the address of each event, and the names of the other people invited and attending. See a
previous post for screenshots and more details about the problem.
Who was affected?
This list was not revealed for all users, though it was revealed at least for myself and for Mark Zuckerberg, the founder of Facebook. No one seems to know why some users were affected and others weren't.
Is the Facebook Graph API still publishing this information?
It doesn't look like this is happening anymore. Sometime on Monday, April 26, the Facebook Graph API stopped returning lists of events for me and for Mark Zuckerberg, and no one has reported being able to get a list of events for any user since then.
So my events are private now?
Not necessarily. The information about the event itself is controlled by a privacy setting on the event. If the event is "Open", then anyone who can find the event can see the event's description, location, and the names of all the people invited or attending. So, yes, it looks like unconnected members of the public can no longer find events by looking at your list of events, but they can still find open events by searching for them, and then see the details of those events.
Also, when you authorize and use a Facebook application, the application gains access to all of your information, including your list of events.
Your thoughts? More questions?
Please use the comment area below to post your feedback and questions. I'll try to keep this post updated with answers to common questions.