phwd's comments

reposting this from reddit (tried to edit the profanities) as I'm certain this is what happened here.

Essentially it's social engineering via a face scan app.

You can see an example of a possible scammer here https://www.instagram.com/sashana_walter/

"My friend is into crypto sh$t and he messaged me saying to check out his story (already weird but whatever) and he posted that this lady turned his $500 into $8500. It was a legit video of him speaking, walking down the street. Anyway I messaged the chick and she told me to download this app and I signed up and it made me scan my ID and my face which I thought was wack again but trusted my buddy… So i end up sending this chick $200 in bitcoin like a f%c^in idiot, but then shes trying to say I need to send another $300 to be able to actually ‘process’ and I was like uhhhh nope? Now ‘she’ is trying to get me to do some two factor authentication confirmation code shit to ‘get my payout’. What I think is going on is they got into my friends account and made a deepfake from the face scan and started DMing other people. "

Good work.

The actual schema graphql?q=schema() (not the generated one) is in fact confidential. They definitely do not want their real schema public.

At the risk of pointing to the documentation,

graph-facebook-com/app/activities is an endpoint used by 3rd party developers working with Facebook SDKs to send app analytic data for insights.

https://developers.facebook.com/docs/marketing-api/app-event... http://www.facebook.com/analytics https://business.facebook.com/events_manager/app/events

This is what a URL can look like.

graph-facebook-com/1106907002683888/activities?method=POST&event=MOBILE_APP_INSTALL&anon_id=1&advertiser_tracking_enabled=1&application_tracking_enabled=1&custom_events=[{%22_eventName%22:%22fb_mobile_purchase%22,}]

If you click the above you'll litter my analytics feed for my app 1106907002683888 with junk data.

Just in case, someone was looking for the specific call talked about because I couldn't find it linked in Vice's article.

This title provided by the OP is intentionally misleading and taken from a quote by Roger McNamee.

There are other platforms out there (liveleak and worldstarhiphop for example) that it only takes a minute or less to reach extreme content. If Facebook really desired what the OP suggested, assumed by Roger McNamee to push ad revenue by engagement then that’s exactly the first video one would see when logging in Facebook. The first video I see is always some shallow inspirational video by an “influencer” or a Buzz feed video on cooking.

Dang, I’d rather at least the original title be used so that anyone reading the article can reach their own conclusion and then bring whatever fire and brimstone need be.

He cancelled his plans to hack Mark Zuckerberg page, instead he filed a report to facebook.com/whitehat

https://twitter.com/phwd/status/1045674238751969280 https://www.facebook.com/robots.tx/posts/1198980273583188

The nuances for what a "3rd party entity" vs a "3rd party app" represents in Facebook is really what's at hand here. Anyone who spent time in Facebook developer platform knows this.

NYT's watered down article for the lowest denominator and maximum clicks (imo) vs Facebook's way too technical explanation for the maximum PR defense. None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.

It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.

If only we were discussing the data and HTTP requests and not the way reporters and PR play with words to fit their agendas.

I've downloaded my zip file to try to verify what's going on in the article

I think I have an idea of what might have happened.

When you add a video to the composer window

One of the requests is https://vupload-edge.facebook.com/ajax/video/upload/requests... (Look it up in the network tab of whatever browser dev tool you are using)

With the response as,

for (;;);{"__ar":1,"payload":{"video_id":"11111111111111","start_offset":0,"end_offset":353662,"skip_upload":false},"bootloadable":{},"ixData":{},"gkxData":{},"lid":"1"}

The video 11111111111111 is now in an "unpublished" state. "unpublished" here meaning it's uploaded to Facebook but not linked to a post yet.

You can verify this by taking that ID and doing the following

https://www.facebook.com/11111111111111/ -> redirects to https://www.facebook.com/phwd/11111111111111/

"Sorry, this content isn't available right now"

Your options now are to either discard the post or publish with a privacy setting which will make the link above available. (Notice I didn't say discard the video, the video is still in an unpublished state)

Now for the archive.

You can verify by going to view-source:fb.com/me in a browser Search for the string "access_token" there will be a long string appended. (e.g. access_token:"EAAAAU...)

With that token go to your archive and roll over one of the links in the video section that has an issue and doesn't appear in the activity log.

file:///Users/phwd/Desktop/facebook-phwd-from-zip/videos/11111111111111.mp4

grab the ID 11111111111111 and do the following

https://graph.facebook.com/11111111111111?access_token=THE_T...

That shows an unpublished video for me, it wouldn't show in your activity log (that's the only part of the story I can agree and can confirm with what I have available)

To delete add the method=delete to the request.

https://graph.facebook.com/v2.9/11111111111111?method=delete...

Response should be

{ "success": true }

The next part would be to verify that the video is deleted from the archive. Since Facebook is still giving me the first download zip, I guess I'll have to wait a while (it's 1 am here so I'm heading to bed) until it resets so I can make it build a new archive and confirm the hunch.

This is just my guess, I'm NOT discounting what the Facebook user encountered. I'm just providing a possible background to how it can happen as well as a solution to deleting the "deleted" video. There is also the chance I might be wrong...

References to confirm for yourself. developers.facebook.com/docs/graph-api/reference/video

Disclosure: I don't work for Facebook, however, I do play with their API a bit.

Google Translate https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

Before this reaches a level rehashing the old "sell it on the blackmarket", I would like to clarify an issue here.

The policy change that occurred for Sean (the person the OP is using for his argument) was that Uber had clarified a change, without any clear notification. I blame the HackerOne Platform here, there is no way to send a notice of scope unless the program owner manually appends it at the top (in the case of yahoo https://hackerone.com/yahoo)

So its scope (https://hackerone.com/uber) changed from in scope

"Exposed Administrative Panels and Ports (Excluding OneLogin)"

to

"Exposed Administrative Panels that don't require login credentials"

With ports moved to out of scope unless,

"Open ports without an accompanying proof-of-concept demonstrating vulnerability"

I cannot speak for the OP and the validity of his XSS bug however.

Instead of pulling information from the marketing page, why not just read the PR release instead http://newsroom.fb.com/News/793/Introducing-Paper-Stories-fr...

The friend list issue seems to be an always "won't fix". I'm pretty sure every few or so security researchers, testers reach this "vulnerability" in one method or another. I've gotten a similar response from the Security Team for trying to dig up friend lists. Maybe it helps maybe it doesn't. I've learned to accept the stance and move on with other security holes.

"A friend connection is two-way - you friend someone, then they approve the friend request. In essence, a friend connection means both "Philippe considers John a friend" and "John considers Philippe a friend". In other words, both people involved have some ownership over this claim - which means the privacy isn't always as simple as with other content."

"Let me use the third example in your screenshots to illustrate. Mark Zuckerberg's friend list is not public. But Greg Golkin's friend list is public - meaning if you pull up Greg's friends, you can see Mark in the list. You can also see Kevin Scott is in the list. Kevin's friend list isn't public... but Stuart Gillette's is, so you can see Kevin show up there. Consequently, using fb:degrees hasn't shown you any information you couldn't theoretically figure out by looking at public friend lists - it's just made it easier to find that info."

"Now I that at first glance this might appear to be inconsistent or a privacy violation. But remember what I said earlier about the two parties involved in a friendship connection. Essentially, you're free to hide the fact that you consider John a friend, but it's also John's choice to publicize that he counts you as a friend - and hiding connections he's publicized would essentially override his privacy wishes. In some cases, such as with fb:degrees, we show connections if they're visible to you on at least one side of the friendship."

"Now, if Mark's list is private and all of his friends set their lists to private too, you should never get a result using fb:degrees. In that case, any final link in the chain connecting you to Mark would involve a friendship that was hidden to you from both sides of the connection, so we wouldn't display it to you."

"A common case where we get similar reports is the "friendship page" between two people - we show mutual friends of the two people if each of the two friend connections is visible to you on at least one side, but we hide any mutual friends where one of the connections is hidden on both sides. To help clarify some of these situations, we added this description to the friend list privacy setting: "Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they'll be able to see it in news feed, search and other places on Facebook. They'll also be able to see mutual friends on your timeline."

This is a case where privacy can get complicated, but we think the way we've chosen to operate is a good balance of the competing priorities involved. We've also chosen to focus more on privacy controls around your content and personal information, since trying to maintain privacy by limiting discoverability is often an illusion. Since Facebook is a network designed for social participation, it's nearly impossible for it to work properly and let people stay completely hidden - there are many ways to discover a profile or friendship beyond friend lists or searches. But even if someone discovers your profile, you have a great degree of control about what they can then access.

I hope that helps clarify what you were observing here. Emrakul was also correct that we have rate limiting to prevent brute-forcing at scale, and given the above controls, even building up a list through iterations would never allow you to know for sure if you'd acquired the entire hidden friend list. I think our current setup is working as intended here, but definitely let us know if you think the controls I described can be overridden somehow."

These are hidden fields available only through whitelisted applications like Facebook for iOS.

http://i.imgur.com/4FdUJ1u.png

This is slightly incorrect, it's more how Facebook ranks for searching. Those numbers are for search bar ranking of objects (users,groups,etc) you recently and/or most interact with. You can check yourself by typing the first letter of any of those names and that name is probably the first selection in your Facebook search bar.

A better ranking would be to look at communication_rank and observation_rank in FQL (https://developers.facebook.com/docs/technical-guides/fql/)

SELECT uid2, communication_rank, observation_rank FROM friend WHERE uid1=me() ORDER BY communication_rank

If you have the id or username, then you can check for yourself with a simple HTTP GET to https://graph.facebook.com/[Number/username]. Seeing that this app uses the Graph API to request accounts, I highly doubt it will be able to see any residual/soft delete data Facebook might hold for you.

> can you be both the place where people connect with their closest connections, and where public discourse goes on?

This remains to be seen. They have been working on it just in a really crash, burn and restart process way. Mark Zuckerberg once went through two options for public discourse

* create a Facebook fan page

* open his personal profile to public

The first attempt was silently killed (from what I can see, this is my assumption) and now redirects to his personal page (www.facebook.com/markzuckerberg -> www.facebook.com/zuck). The second attempt, well, as you can see from his profile, it is pretty much closed up now.

Private sharing, as least from the friends I have, has been going on pretty frequently, just not on the timeline

* private groups

* group messages

With messages, it seems Facebook is testing inline message (1) along the status composer (on the homepage) which aligns with the thinking that they are making private sharing less restrictive to action on while maintaining "privacy" (in quotes, as some may not agree to the level of privacy offered)

I have no data to back up how effective private sharing is though.

(1) http://techcrunch.com/2013/06/02/facebook-status-composer-me...

This is pretty much the same method a user can use to provide a negative comment using the Like Button comment feature on a company, though actually a lot worse and a bit more annoying. This also appears in "X is posting about Y" which I wrote about a while back [1], grinds my gears really.

The ad push is more aggressive than I am comfortable with

On the flip side, because how these sponsored stories/posts work, if you are able to chain together an exploit with either click-jacking or otherwise you can get a pretty decent worm [2] going using their very own sponsored stories feature against them.

[1]: http://philippeharewood.com/facebook/tupac-is-posting-about-... [2]: http://philippeharewood.com/facebook/make-it-red-and-viral/

You can't dislike something on Facebook because users will feel discouraged. The whole point of Facebook is to share content with people you know and have content shared with you. By participating in the "negative" this goes counter to that idea.

Facebook is an identity/friend/family driven network, you wouldn't like seeing that John and Mary disliked your marriage. This works perfect in an HN/Reddit environment since you can dissociate yourself and provide pseudonymity.

As for Facebook Pages, maybe there is potential here. Though again unless you are a big brand, I don't know with certainty whether a post with 10 dislikes and faces attached to them is better than no likes at all.

The OP has an interesting way to look at it, though, I'm pretty sure this has been explained more than once by Facebook Engineers.

This is amazing, whoever feels comfortable about it should band together and see what files are in common, or domains. I want to delete this yet I don't. This contains all (most?) of the files I have ever downloaded, those I thought I lost when clearing browsing data from 2008.

My first few files

* Symantec_Antivirus_Mac.dmg

* http://msdn01.e-academy.com|http://download.e-academy.com/do... (MSDN Alliance: Free Microsoft Software for Students)

* http://download2.vmware.com/software/fusion/VMware-Fusion-1....

* http://download.skype.com/macosx/Skype_2.7.0.330.dmg

Scary yes (The torrent files) but so much history to look at.

    sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent' | sort

Ordered by date

I'm torn. On one side I really like it, it reminds me of the old People Search feature Facebook used to have. On the other side for third party developers especially those who try to make the Facebook experience better, I'm afraid this is reinforcing the point you should not build 100% on platforms.

I'm sure there are many who have had this idea or are building this currently. Facebook Heroku templates given for new developers to start with, hit on the four main areas that Graph Search seem to provide.

Another example would be a query like

    movies liked by people who like movies I like

In FQL the closest I would have gotten was

   SELECT name, page_id from page where page_id in (SELECT page_id from page_fan where uid in (SELECT uid2 FROM friend WHERE uid1 = me()) and profile_section='movies')

And even then FQL was unstable

So then you wonder, why use an app with an unstable query built on an API filled with bugs when I can faster get the result using facebook.com?

Agreed both sides have their fair share of false marketing but did you really have to add the last paragraph? Everything else about your counter is reasonable, no need to be snide.