Ping (zestyping) wrote,

FAQ about the Facebook API Browser.

Here are answers to some common questions about the Facebook API Browser. For details on the exposure of users' event lists, which appears to now have been fixed, see a previous post.


About the Facebook Graph API and the Facebook API Browser

What is the Facebook Graph API?

It's a new service provided by Facebook that lets computer programs get information from Facebook.

What kind of information does the Facebook Graph API provide?

Please see Facebook's developer documentation, which describes all the different kinds of requests that the API will answer.

What is the Facebook API Browser?

The Facebook API Browser is a tool to let you ask the Facebook Graph API for information and see the replies. This tool was created by me, not by Facebook.

Is it designed to exploit vulnerabilities in the Facebook Graph API?

No. The Facebook API Browser makes normal requests to the Facebook Graph API, exactly as recommended and documented on Facebook's developer website.

Why did you create it?

I'm a Facebook user. When I heard about the new API, I was curious to know what information it exposes about me. I realized that there wasn't an easy way for users of the regular Facebook website to see what the API publishes about them, and that other users might also want to know that too.

Did Google ask you to do this?

No. I work at Google, but this has nothing to do with my work for them.


Using the Facebook API Browser

How do I use it?

There are two boxes you can type into, similar to the two boxes in most web browsers, and the reply from the Facebook server is shown below them.

The box on the left is a location box; it shows what was just requested. The box on the right is a search box.

In the location box, you can enter any Facebook ID. Everything on Facebook has a numeric ID — every user, every page, every group, and so on. For example, Mark Zuckerberg's ID is 4, and The Church of the Flying Spaghetti Monster has an ID of 9835354795. In addition, users can also have aliases — for example, Mark Zuckerberg's alias is "zuck", so if you enter "zuck", it will be just as though you entered "4".

In the search box, you can enter any keywords, including names or e-mail addresses. When you point at the "Find" button, you'll get a selection of buttons that you can choose to search for users, posts, events, groups, or pages. Each kind of search can turn up different results.

Who can see the information that it shows me?

Anyone. The Facebook API Browser does not use your password or identity or any special privileges to get the information that it shows you. So, anything you see in the results is available to the public through the Facebook Graph API.

What's the difference between the blue and red links?

The replies from the Facebook server contain links that you can click to explore further. The blue links point to regular web pages, on Facebook and elsewhere. The red links make further API requests, and will load up more information in the Facebook API Browser. Just like the Back and Forward buttons in your regular web browser, the ◀ and ▶ buttons to the left of the location box will step back and forward in the history of API replies that you've viewed.

If I see "(empty)", does that mean my information is private?

It means that the Facebook Graph API has nothing to show to an unconnected member of the public. However, Facebook users that are friends with you, friends of your friends, or in the same network as you, as well as Facebook applications that you use or websites that you have authorized, may have access to more of your Facebook information than you see in the Facebook API Browser. Also, there are other ways, aside from the Facebook Graph API, to obtain information about your Facebook account — for example, other users can see your list of friends on the website, even though your friends list is not available through this API.

If I see "error", does that mean my information is private?

There are few different kinds of errors you might see:
"Some of the aliases you requested do not exist"
The text entered in the location box isn't a Facebook ID or user alias.
"Invalid OAuth access token" or "Error processing access token"
Try reloading the Facebook API Browser.
"Can't lookup all friends" or "You can only access ... for the current user"
The Facebook API is not allowing you to see the information.
Remember that just because the API hides information from an unconnected member of the public, that doesn't mean it hides the information from your friends or applications. And even if the API hides a particular kind of information, there might still be some other way to get it.


How it works

Do you log requests to the Facebook API Browser?

When you load the page, your browser requests the page from my web server, and that request is logged. But after that, whatever you enter in the location box or search box is not logged by my server. In fact, it never reaches my server; the API requests go directly from your browser to Facebook.

Does your server see the information that is displayed to me?

No. That information is coming directly from Facebook to your browser. The Facebook API Browser is a JavaScript program; it runs in your browser and communicates only with Facebook, not with my server.

How do you know that the information it shows is available to anyone?

Most requests to the Facebook Graph API require an access token, which corresponds to a Facebook user and allows a program to act with the privileges of that user. For the Facebook API Browser, I created a dummy Facebook account that has no friends and no connections to anything. The Facebook API Browser then uses an access token representing this user to ask for information.

Can I see the source code?

Certainly! Just look at the source of the page. It's all there, and it's open source under the GNU General Public License.


About the exposure of Facebook events

What's this I heard about Facebook publishing my events?

The Facebook API Browser went up on Friday, April 23, and people started playing with it. Shortly thereafter, a few people discovered that clicking the /events link on a user profile sometimes exposed a list of events that the user was attending. Clicking on these events would then reveal the location and sometimes the address of each event, and the names of the other people invited and attending. See a previous post for screenshots and more details about the problem.

Who was affected?

This list was not revealed for all users, though it was revealed at least for myself and for Mark Zuckerberg, the founder of Facebook. No one seems to know why some users were affected and others weren't.

Is the Facebook Graph API still publishing this information?

It doesn't look like this is happening anymore. Sometime on Monday, April 26, the Facebook Graph API stopped returning lists of events for me and for Mark Zuckerberg, and no one has reported being able to get a list of events for any user since then.

So my events are private now?

Not necessarily. The information about the event itself is controlled by a privacy setting on the event. If the event is "Open", then anyone who can find the event can see the event's description, location, and the names of all the people invited or attending. So, yes, it looks like unconnected members of the public can no longer find events by looking at your list of events, but they can still find open events by searching for them, and then see the details of those events.

Also, when you authorize and use a Facebook application, the application gains access to all of your information, including your list of events.


Your thoughts? More questions?

Please use the comment area below to post your feedback and questions. I'll try to keep this post updated with answers to common questions.
  • Post a new comment


    default userpic

    Your IP address will be recorded 

← Ctrl ← Alt
Ctrl → Alt →
I'm getting this when I look up some users in both IE and FireFox.

Message: 'constructor' is null or not an object
Line: 105
Char: 3
Code: 0
Thanks! I've made a change that fixes this problem.
great tool, thanks. I realize why you wouldn't grab all info on page load, but it would be nice to be able to see the results all on one page, or even identify by color or asterisk or something which properties are not empty (ie, data is available)

Even ajax to get data over time...

Not suggesting you should feel obligated to do this, thank you for your effort so far.




May 12 2010, 02:28:18 UTC 7 years ago

I get this error almost always but occasionally the info comes through:

"error": {
"type": "OAuthException",
"message": "You must use https:// when passing an access token"

Why is it so inconsistent. I can't tell what it actually is publishing because it only works occasionally.
Thanks for reporting this. It looks like they've added a new requirement to the API. I believe I've fixed this now.


May 12 2010, 19:40:05 UTC 7 years ago

Thank you for making this, and having it open source.

I'm curious about how you're generating/refreshing the access tokens. Since they expire after an hour or two, you must be automatically refreshing them somehow. I'm speculating that you could do it with a browser that's set to refresh every so often, or possibly with a cron job?? Are you able to share your code for this?


August 3 2010, 18:23:18 UTC 7 years ago

Great question! I would also like to know the answer, Thanks!

Auth token solution


7 years ago

an error?


May 13 2010, 03:29:26 UTC 7 years ago

Thanks for making this. While testing it out out, some of the results did not seem accurate. I put in the ids of two random people (that i'm not connected with)and compared what's visible on thier profiles to what your API browser shows. Both have books and movies publicly visible too all yet the api browser does not show them. Unless I'm confused, seems like these should show up in the browser.

Re: an error?


May 17 2010, 06:33:44 UTC 7 years ago Edited:  May 17 2010, 06:34:08 UTC

The API Browser only shows what's returned through the API. The information shown on a Facebook profile page doesn't necessarily match what is provided through the API.
When I use this tool to look up my friend list, I get this error:

"(#604) Can't lookup all friends of [my_ID_number]; can only lookup for the logged in user (100001040613184) or for pairs of users"
Yup. That means the API is refusing to reveal your friends list. It currently looks like you can't see anyone else's friends list through the API, though it's described as "public information" in Facebook's help pages.
I know my actual address, but not the ID and I would like to find my specific profile to ensure that I'm keeping as much private as possible.
Try searching for your e-mail address in the search box. When you find your own profile, your ID number will be visible in the "id" field.


May 19 2010, 05:05:34 UTC 7 years ago

I keep getting the following message for everything i try to access. I am logged into facebook on another tab? Is there something i can do to make this work?

"error": {
"type": "Exception",
"message": "You can only access the \"inbox\" connection for the current user: "
This error message means that you can't see other people's inboxes. Not all the links produce this error message, though.


7 years ago

"error": {
"type": "OAuthException",
"message": "Error processing access token."

Does this mean Facebook is "private" now? OR am I ganna have to keep looking for ways to figure out where Im having security leaks?
Btw, you rock. Keep up the good work.
If you know any other sites like yours, please post a link in the reply.

Re: New security update?


7 years ago

No matter what I do, this is all I ever see. (XP, running firefox)

The API reported an error:

Kudos for making the site.
At the bottom of the page there is 'updated_time'. What does that pertain to?

Thanks for a great tool.
I looked over my profile and except for my likes/interests, everything turns up as empty, even though for example I have stuff in "Photos". Does this mean my account is "secure"?
I just tried it on profiles I know completely public and nothing showed up...



June 26 2010, 07:04:28 UTC 7 years ago

Can you please provide a quick write-up on the process by which you obtain a new token every two hours, as stated in your source code. I'm new to the FB API, and am very intrigued! PS: Thanks for sharing your experiment!
I am attempting to look at user posts and the comments attached on the corporate page of a public company. I have noticed that not all of the comments that are present on the actual Facebook page are present in the API. Is there a reason for this?

Also when I click next in the paging area it returns: data(empty)

Thanks For Your Help

Open Events


July 20 2010, 16:52:22 UTC 7 years ago

I'm new to FB and when I was looking for Graph API uses/implementation found you post. Nice work. My problem is that when I search my ID I can not see my Open events. I made sure that the even is public, and I check that with some friend's IDs I couldn't find open events.

First of all, fantastic job!
I'm currently also developing a web portal integrated with facebook but I wonder why I'm not able to get posts' comments in a group with my access_token - of course I obtain the code to my application and exchange it to get my access_token and login-... I can get the posts, users' info, etc. but not the posts' comments. I've tried to debug a couple of times with your access_token, and it works! Moreover, the access tokens are slightly different (yours is longer :-)) I've searched in FB forums and nothing. I'm thinking it's an application permissions problem.
May I ask you the format of auth URLs that you use to get this type of tokens? I mean: client_id=...&redirect_uri=...&scope=..., or Or should I configure my FB application to ask for special permissions?

Thanks a lot!!!
I get the token from the developer documentation page, which includes some example links that are pre-customized with access tokens if you are logged in:

Re: Access tokens types


7 years ago

Re: Access tokens types


7 years ago

When I log into Facebook and put in a wrong password, a picture of me pops up and the Facebook login asks me if that is me. Is there a way to not have that picture show up?
ID: 100001040613184

I checked 2 of my friends, both of which dont know each other and are living in different countries. When I checked out one of their profile stuff here, it says only User 100001040613184 can see it besides them.
hi zesty,

cool stuff. I did such a solution on serverside for me. but I cant retrive
"updated_time" - how do you get that?

For example the request only returns this fields:

"id": "636599595",
"name": "David Lindner",
"first_name": "David",
"last_name": "Lindner",
"link": "",
"gender": "m\u00e4nnlich",
"locale": "de_DE"

there is no updated_time ...


... and if I query the graph api, for some profiles, I get no link to the profile.
But with your api browser and same userID I can see the link ... any idea why?


August 14 2010, 13:58:33 UTC 7 years ago

Thank you Ping for sharing such a code masterpiece :) You're rock!

It's really cool that your FB Browser doesn't require a login to Facebook, that is why I'm curious how do you get an access_token for a first page load?
I know that token can be grabbed from the example links available on FB/developers page for a logged-in user, but it's so monkey job! Your idea seems more elegant and pretty
Can you drop some lines explaining this magic? :)
Thank you
I have tested your Facebook API Browser and it works good but I have some question.
I managed to build and app in perl that access Facebook and I'm doing searches trough Facebook Grap API
Curiously in my case when I perform a search it only returns results in spanish, but I found in your case if I perfom a search it returns posts in any language.
Do you have any idea of what of that?
I'm starting to become mad because Facebook have a few information and anywhere nobodoy knows nothing.
Cool stuff.

Are there any web sites to help developing these codes with C# for .Net developers.
Great work, I noticed, the access_code in your script keep getting updated time to time, are you doing it manually or is it automatic?

Could you please outline how you obtained the dummy access token?

I logged in and visited the Developer documentation. The documentation contains links that are automatically filled in with access tokens based on your current login.
← Ctrl ← Alt
Ctrl → Alt →