Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Graph API robots.txt (facebook.com)
109 points by knorby on April 23, 2010 | hide | past | favorite | 38 comments



It appears you can put a period anywhere within the ID after the initial "/" and it works:

http://graph.facebook.com/robot.stxt http://graph.facebook.com/r.o.b.o.t.s.t.x.t

This guy's actual short-URL is "robotstxt."


It's not just periods. They're filtering out certain characters [.,-]

hxxp://graph.facebook.com/-----r.-o....b....o-t-s-t....x....t----....///////////___%%20%22/test/robots

will still output the same result as http://graph.facebook.com/robotstxt


This is the sort of thing that leads to exploits.


I started playing with this new api today. My room mate and I spent an hour with various privacy settings and it does not appear there is any way to prevent your account from being accessed via this.


That is because the info that is available at http://graph.facebook.com/name is <= the info that is available at http://facebook.com/name . What part of your account are you trying to stop from being accessed? This makes no sense.


I set my profile to private. I turned off "Public Search Results" and "Facebook Search Results" is set to "Only Friends".

If you're not logged in, my URL returns a 404: http://www.facebook.com/davetufts (or by ID: http://www.facebook.com/profile.php?id=603069147 )

Not a huge deal, because the graph page only shows my name and ID, but they are publicly accessible: http://graph.facebook.com/davetufts or http://graph.facebook.com/603069147


Appending /picture?type=large to your graph page works, too. Uh, oh...


I can see the following as a logged-in facebook user, which is identical to what the graph api returns: http://imgur.com/8y8hf.png

I'm not seeing a discrepancy here?


Like I said, the discrepancy is if you're NOT logged in.


I'm not seeing an issue here though -- that profile information was readily available in html (if you have a facebook cookie) and is now even more accessible via json.

In fact, the json api gives out less information than the html frontend (e.g. all 18 pages you currently follow).


Like he said, the discrepancy is when you are not logged in. I can see his info and his private profile pic although I don't even have a facebook account and the html version gives me a 404.


It's not a big deal, anyone could make a throwaway FB account and see the same data. The difference is almost immeasurable.


You don't think its a big deal that I can crawl FB to capture the names and pictures of people, regardless of their privacy settings?


I don't like the fact that Facebook makes any of my data available and doesn't provide me options to make it private at will. I have my privacy settings turned all the way up for everything. Perhaps I, and others, simply would like to not have any of our data available in this manner.


I agree with you. As of now, your only option is to not use fb.


That's good advice. For anyone interested in taking it, see "How to permanently delete your Facebook account": http://www.facebook.com/group.php?gid=16929680703


My “graph” link is public, but my “public page” link is not. It might be because I don’t allow my profile to appear in public searches (non logged in), but still they made it visible to anyone in the graph API. I hope they add a privacy setting to change this.


So you're able to get someone's facebook id and name? How useful is that? It seems about as useful as scraping web pages for random names & numbers. Might as well go to classmates.com and get a list of names there.


name, id, AND full size profile picture


http://graph.facebook.com/laden

{ "error": { "type": "QueryParseException", "message": "Some of the aliases you requested do not exist: laden" } }


I just realized that if you supply an access token you have access to even more information for record.


Seems that its only more info based on your account. Unless Im missing something.


It will be interested if anyone ever does a dump of all the data availible


What's interesting is that you can put the id in the url and get their data (example: http://graph.facebook.com/677195182).

I'm not entirely sure about what you could do with this data, but it's there, for anyone to see.


So bots get some non-standard file for robots.txt.

Guess no one at facebook has noticed the vulnerability exposed with pretty usernames on facebook & ignoring "." in a different framework. (probably just following gmail usernames.)



Surprised that http://graph.facebook.com/phpinfo.php isn't taken.





Reminds me of Little Bobby Tables: http://xkcd.com/327/


You could do this for hours:

http://graph.facebook.com/sitemap.xml


so your name will be published out to the web?

you can set the userid as parameter and you get Mark Zuckerbergs Profile here : http://graph.facebook.com/4

Then you can simple count up to infinite to get the other profiles. The API has a Usage limit and blocks after a while



Much more than users apparently. It looks like everyting is thrown in here:

http://developers.facebook.com/docs/api


Anyone knows why they are skipping IDs? Why didn't he pick id=1?


Perhaps those were just tests, and databases use incremental index but don't care if you delete a record.


Winklevoss, Winklevoss, and Narendra? :)




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: