New Trick to View Hidden Facebook Photos and Tabs

Last December, I posted a bit of JavaScript known as a bookmarklet that allowed you to see photo albums for any Facebook user if the album privacy settings allowed it. This highlighted an example of “security through obscurity,” since the lack of links to photos on most profiles seemed to indicate no photos could be viewed. The trick worked as advertised, though it only displayed a few albums for those who had many.

The code came from my own experiments on accessing the hidden photos. It worked quite manually, retrieving data from a particular Facebook interface and stuffing it into the current page. I figured a more elegant solution could be found by re-using the code already embedded in the page, but I had not been able to sort out all of the built-in functions.

Last night and this morning, I found what I’d been missing before, and I now present a far simpler version that gives full access to all available albums of a given user. Simply bookmark this link (right-click and choose to add a bookmark) and click the bookmark when viewing someone’s profile on Facebook.

Once again, please note that this does not in any way circumvent a user’s privacy settings. If you mark your albums as visible only to your friends, this trick will not override that setting. I do not currently know of a way to access private photo albums, and if I did find one, I would report it to Facebook. My purpose in posting this code is to prove a point, not break into users’ accounts.

Here is the new source code:

javascript:(function(){CSS.removeClass(document.body, 'profile_two_columns');tab_controller.changePage("photos");})()

As I said, much simpler! I only had to find the right commands.

But the story doesn’t end there. This new method can be very easily adapted to load other information from a user’s profile, and the new possibilities raise more privacy ramifications. Once again, the trick does not actually override any settings, but it may break some user expectations and highlight the importance of overlooked or unknown settings.

The new behavior is that once can use similar code to access the canvas pages of applications the user has interacted with, as if the user had added the application as a tab on their profile. This includes the “Boxes” tab for users who have it. From what I understand, visibility of this tab page comes from the “Privacy” box under “Edit Settings” next to each application listed in a user’s Application Settings. Such controls have often been overlooked, particularly because they may not have seemed very relevant in the past. While many users stay aware of the privacy settings on their photos and wall posts, they may not think about the content they generate in the context of applications. Often, that content has little if any privacy controls applied.

Typically, any information available on an application tab is also available through the application itself, but this technique makes it far easier to find. However, it also raises some disturbing possibilities related to application data retention, and issue I’ve noted in the past but not seen discussed much elsewhere. For example, quite a while ago (as in months to years), I used the Pieces of Flair application with my personal Facebook account, arranging various buttons on my virtual corkboard. Eventually I pared down the number of applications I had authorized, and Pieces of Flair was one I uninstalled a number of months ago. Today, however, if you use the sort of bookmarklet posted above to check my Facebook profile for a Pieces of Flair tab page, you’ll see all my virtual buttons once again.

Facebook does notify applications when a user uninstalls them, but it’s up to the developer to actually do something about the data left behind. Apparently Pieces of Flair does nothing with the data, meaning a user has to manually delete their flair before removing the application if they want to truly get rid of the content they generated. Based on my experience, many applications behave in a similar fashion. Some may argue that this behavior is similar to Facebook “deactivating” an account, but at what point should the content expire, and how many applications offer a full deletion? Such issues become matters of retention policies, and based on my past studies of whether applications even had a privacy policy, I would guess that most applications do not currently have such terms.

All of this once again highlights the current complexity of data and privacy on the Facebook Platform. Granted, dealing with third-party applications is not a simple problem to solve, and I’m not simply criticizing Facebook for failing to build a perfect system. But these issues can very easily lead to unpleasant surprises for end users, and at some point someone will have to sort them out.

Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Comments are closed.