Ping (zestyping) wrote,

FAQ about the Facebook API Browser.

Here are answers to some common questions about the Facebook API Browser. For details on the exposure of users' event lists, which appears to now have been fixed, see a previous post.


About the Facebook Graph API and the Facebook API Browser

What is the Facebook Graph API?

It's a new service provided by Facebook that lets computer programs get information from Facebook.

What kind of information does the Facebook Graph API provide?

Please see Facebook's developer documentation, which describes all the different kinds of requests that the API will answer.

What is the Facebook API Browser?

The Facebook API Browser is a tool to let you ask the Facebook Graph API for information and see the replies. This tool was created by me, not by Facebook.

Is it designed to exploit vulnerabilities in the Facebook Graph API?

No. The Facebook API Browser makes normal requests to the Facebook Graph API, exactly as recommended and documented on Facebook's developer website.

Why did you create it?

I'm a Facebook user. When I heard about the new API, I was curious to know what information it exposes about me. I realized that there wasn't an easy way for users of the regular Facebook website to see what the API publishes about them, and that other users might also want to know that too.

Did Google ask you to do this?

No. I work at Google, but this has nothing to do with my work for them.


Using the Facebook API Browser

How do I use it?

There are two boxes you can type into, similar to the two boxes in most web browsers, and the reply from the Facebook server is shown below them.

The box on the left is a location box; it shows what was just requested. The box on the right is a search box.

In the location box, you can enter any Facebook ID. Everything on Facebook has a numeric ID — every user, every page, every group, and so on. For example, Mark Zuckerberg's ID is 4, and The Church of the Flying Spaghetti Monster has an ID of 9835354795. In addition, users can also have aliases — for example, Mark Zuckerberg's alias is "zuck", so if you enter "zuck", it will be just as though you entered "4".

In the search box, you can enter any keywords, including names or e-mail addresses. When you point at the "Find" button, you'll get a selection of buttons that you can choose to search for users, posts, events, groups, or pages. Each kind of search can turn up different results.

Who can see the information that it shows me?

Anyone. The Facebook API Browser does not use your password or identity or any special privileges to get the information that it shows you. So, anything you see in the results is available to the public through the Facebook Graph API.

What's the difference between the blue and red links?

The replies from the Facebook server contain links that you can click to explore further. The blue links point to regular web pages, on Facebook and elsewhere. The red links make further API requests, and will load up more information in the Facebook API Browser. Just like the Back and Forward buttons in your regular web browser, the ◀ and ▶ buttons to the left of the location box will step back and forward in the history of API replies that you've viewed.

If I see "(empty)", does that mean my information is private?

It means that the Facebook Graph API has nothing to show to an unconnected member of the public. However, Facebook users that are friends with you, friends of your friends, or in the same network as you, as well as Facebook applications that you use or websites that you have authorized, may have access to more of your Facebook information than you see in the Facebook API Browser. Also, there are other ways, aside from the Facebook Graph API, to obtain information about your Facebook account — for example, other users can see your list of friends on the website, even though your friends list is not available through this API.

If I see "error", does that mean my information is private?

There are few different kinds of errors you might see:
"Some of the aliases you requested do not exist"
The text entered in the location box isn't a Facebook ID or user alias.
"Invalid OAuth access token" or "Error processing access token"
Try reloading the Facebook API Browser.
"Can't lookup all friends" or "You can only access ... for the current user"
The Facebook API is not allowing you to see the information.
Remember that just because the API hides information from an unconnected member of the public, that doesn't mean it hides the information from your friends or applications. And even if the API hides a particular kind of information, there might still be some other way to get it.


How it works

Do you log requests to the Facebook API Browser?

When you load the page, your browser requests the page from my web server, and that request is logged. But after that, whatever you enter in the location box or search box is not logged by my server. In fact, it never reaches my server; the API requests go directly from your browser to Facebook.

Does your server see the information that is displayed to me?

No. That information is coming directly from Facebook to your browser. The Facebook API Browser is a JavaScript program; it runs in your browser and communicates only with Facebook, not with my server.

How do you know that the information it shows is available to anyone?

Most requests to the Facebook Graph API require an access token, which corresponds to a Facebook user and allows a program to act with the privileges of that user. For the Facebook API Browser, I created a dummy Facebook account that has no friends and no connections to anything. The Facebook API Browser then uses an access token representing this user to ask for information.

Can I see the source code?

Certainly! Just look at the source of the page. It's all there, and it's open source under the GNU General Public License.


About the exposure of Facebook events

What's this I heard about Facebook publishing my events?

The Facebook API Browser went up on Friday, April 23, and people started playing with it. Shortly thereafter, a few people discovered that clicking the /events link on a user profile sometimes exposed a list of events that the user was attending. Clicking on these events would then reveal the location and sometimes the address of each event, and the names of the other people invited and attending. See a previous post for screenshots and more details about the problem.

Who was affected?

This list was not revealed for all users, though it was revealed at least for myself and for Mark Zuckerberg, the founder of Facebook. No one seems to know why some users were affected and others weren't.

Is the Facebook Graph API still publishing this information?

It doesn't look like this is happening anymore. Sometime on Monday, April 26, the Facebook Graph API stopped returning lists of events for me and for Mark Zuckerberg, and no one has reported being able to get a list of events for any user since then.

So my events are private now?

Not necessarily. The information about the event itself is controlled by a privacy setting on the event. If the event is "Open", then anyone who can find the event can see the event's description, location, and the names of all the people invited or attending. So, yes, it looks like unconnected members of the public can no longer find events by looking at your list of events, but they can still find open events by searching for them, and then see the details of those events.

Also, when you authorize and use a Facebook application, the application gains access to all of your information, including your list of events.


Your thoughts? More questions?

Please use the comment area below to post your feedback and questions. I'll try to keep this post updated with answers to common questions.

  • Post a new comment


    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
← Ctrl ← Alt
Ctrl → Alt →
I'm getting this when I look up some users in both IE and FireFox.

Message: 'constructor' is null or not an object
Line: 105
Char: 3
Code: 0
Thanks! I've made a change that fixes this problem.
great tool, thanks. I realize why you wouldn't grab all info on page load, but it would be nice to be able to see the results all on one page, or even identify by color or asterisk or something which properties are not empty (ie, data is available)

Even ajax to get data over time...

Not suggesting you should feel obligated to do this, thank you for your effort so far.




May 12 2010, 02:28:18 UTC 11 years ago

I get this error almost always but occasionally the info comes through:

"error": {
"type": "OAuthException",
"message": "You must use https:// when passing an access token"

Why is it so inconsistent. I can't tell what it actually is publishing because it only works occasionally.
Thanks for reporting this. It looks like they've added a new requirement to the API. I believe I've fixed this now.


May 12 2010, 19:40:05 UTC 11 years ago

Thank you for making this, and having it open source.

I'm curious about how you're generating/refreshing the access tokens. Since they expire after an hour or two, you must be automatically refreshing them somehow. I'm speculating that you could do it with a browser that's set to refresh every so often, or possibly with a cron job?? Are you able to share your code for this?


August 3 2010, 18:23:18 UTC 11 years ago

Great question! I would also like to know the answer, Thanks!

Auth token solution


11 years ago

an error?


May 13 2010, 03:29:26 UTC 11 years ago

Thanks for making this. While testing it out out, some of the results did not seem accurate. I put in the ids of two random people (that i'm not connected with)and compared what's visible on thier profiles to what your API browser shows. Both have books and movies publicly visible too all yet the api browser does not show them. Unless I'm confused, seems like these should show up in the browser.

Re: an error?


May 17 2010, 06:33:44 UTC 11 years ago Edited:  May 17 2010, 06:34:08 UTC

The API Browser only shows what's returned through the API. The information shown on a Facebook profile page doesn't necessarily match what is provided through the API.
When I use this tool to look up my friend list, I get this error:

"(#604) Can't lookup all friends of [my_ID_number]; can only lookup for the logged in user (100001040613184) or for pairs of users"
Yup. That means the API is refusing to reveal your friends list. It currently looks like you can't see anyone else's friends list through the API, though it's described as "public information" in Facebook's help pages.
I know my actual address, but not the ID and I would like to find my specific profile to ensure that I'm keeping as much private as possible.
Try searching for your e-mail address in the search box. When you find your own profile, your ID number will be visible in the "id" field.


May 19 2010, 05:05:34 UTC 11 years ago

I keep getting the following message for everything i try to access. I am logged into facebook on another tab? Is there something i can do to make this work?

"error": {
"type": "Exception",
"message": "You can only access the \"inbox\" connection for the current user: "
This error message means that you can't see other people's inboxes. Not all the links produce this error message, though.


11 years ago

"error": {
"type": "OAuthException",
"message": "Error processing access token."

Does this mean Facebook is "private" now? OR am I ganna have to keep looking for ways to figure out where Im having security leaks?
Btw, you rock. Keep up the good work.
If you know any other sites like yours, please post a link in the reply.

Re: New security update?


11 years ago

No matter what I do, this is all I ever see. (XP, running firefox)

The API reported an error:

Kudos for making the site.
At the bottom of the page there is 'updated_time'. What does that pertain to?

Thanks for a great tool.
I looked over my profile and except for my likes/interests, everything turns up as empty, even though for example I have stuff in "Photos". Does this mean my account is "secure"?
I just tried it on profiles I know completely public and nothing showed up...



June 26 2010, 07:04:28 UTC 11 years ago

Can you please provide a quick write-up on the process by which you obtain a new token every two hours, as stated in your source code. I'm new to the FB API, and am very intrigued! PS: Thanks for sharing your experiment!
I am attempting to look at user posts and the comments attached on the corporate page of a public company. I have noticed that not all of the comments that are present on the actual Facebook page are present in the API. Is there a reason for this?

Also when I click next in the paging area it returns: data(empty)

Thanks For Your Help
← Ctrl ← Alt
Ctrl → Alt →