Image for post
Image for post
“man showing photo of him” by Kyle Glenn on Unsplash

How I reverse-engineered Facebook’s face tagging

The other day after obviously watching too much of Black Mirror I was wondering how hard it would be to be able to point your mobile phone camera onto someone and identify this person by their Facebook profile.

Reverse-engineering photo uploading

At this point I considered the following vectors of attack: native mobile apps and mobile webapps (https://m.facebook.com and https://mbasic.facebook.com). I was leaning towards web apps, as I didn’t want to bother with SSL pinning, I also wanted to avoid dealing with Javascript, so I ended up with mbasic.facebook.com which is just static web pages.

Image for post
Image for post
feed_composer
Image for post
Image for post
photo_id

Tapping into Facebook photo tagging API

It turned out that to query tagging API with mbasic.facebook.com you’d have to proceed all the way until the finish and actually submit a post with a photo which would show up in your Facebook wall. So make sure you have Share with: Only Me in your post settings:

Image for post
Image for post

Caveats

Since I originally intended to leverage photo tagging in a mobile app, I wanted to deploy the script and access it through an API endpoint: POST and image and get a facebook id of a user on the image.

Moving forward

I was able to achieve about 7 seconds response time for my API calls: from uploading a photo to getting a Facebook id of the user on the photo. That’s including a random 1 second sleep for who know what reason (trust me, it was needed).

Written by

Hacker. Entrepreneur. Jetsetter. Dreamer. @nderkach http://derka.ch

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store