Hacking the Facebook
by Savage Monkey
For those not familiar with it, Facebook (facebook.com) is a social networking site for college students and alumni having subsites for over 800 colleges and universities, chiefly in the U.S.
The site is said to be one of the top ten most-visited sites on the web and it is phenomenally popular among American college students.
In the past, the site has had a number of security flaws attributable to simple software bugs, insufficient input validation, etc. I will not be discussing these kinds of security holes here.
Instead, I will focus on more subtle tricks that rely on using intended features to do more than the site creators intended.
As the site is now designed, members register by providing their names, a college-affiliated email address, and their affiliation with the college (student, faculty, alumnus, etc.). The email address must be at the domain of one of the schools for which a subsite exists. When a user registers, Facebook then emails them a confirmation link at the provided email address, like any other membership-based website.
Once the user is registered, they can create a profile, connect to friends at their own school or others (friendship requests require the friend's confirmation), send messages to other members, "poke" people (who will receive a "You have been poked by Member X" message), join or start common-interest groups at their own school, publicize and RSVP to campus parties, or upload photos.
By default, member profiles can be viewed by other members at the same school, the member's confirmed friends, and anyone to whom the member has sent a Facebook message or a poke. This is the least restrictive option, although more restrictive options (such as friends only) are possible.
So let's say you want to see someone's profile, but you're not in any of these categories and they won't add you as a friend for whatever reason. One option is to send them a message in the hopes that they reply. If they do, you can see their profile, except for their contact information. Similarly, you could try poking them in the hopes that they poke you back.
If you don't think they'd reply to your regular account, you can always create another one. It's easier than you think.
Of course, if your college lets you set up a mail server on a subdomain of your choice, you're golden. Otherwise, look for MX records pointing to the same mail server as your regular mail server.
For instance, if your email address is joe@college.edu, you can probably create another account using the email address joe@smtp.college.edu, and maybe another at joe@mail.college.edu, etc.
Of course, in this case the person may still figure out who you are. A sneakier trick is to use a mailing list. Almost every college or university has one or several GNU Mailman, Majordomo, etc. mailing list servers set up.
Many of these have old unmoderated mailing lists that do nothing but receive and archive spam. If you find one of these, have a Facebook account confirmation sent to it. It doesn't even have to be at your college, and by doing this you can gain access to profiles at whatever school the Listserv is located at.
A more nefarious method is to trick a Facebook user into clicking on something that will, by opening a hidden or conspicuous frame on the page, cause them to add you to their friends list.
There is such a site at http://infect.la/facebook.php which opens several frames with URLs like www.facebook.com/addfriend.php?id=X&confirmed=1 where X is a random number.
If X is your User ID - easily obtained by looking at the URL for your profile - and you can convince someone to go to this page, they will have added you as their friend.
They may delete you from their friends list, but if you just want to quickly examine their profile, this would be sufficient. You could also cause them to add you as their significant other, poke you, or send you an arbitrary message by playing with URLs in similar ways.
I won't give precise URLs, but they should be obvious upon viewing the source of various Facebook pages.
If you trick someone into sending you a message in this way, large portions of their profile will be permanently readable to you.
You might use a site like TinyURL to disguise the URL.
Happy Facebooking!