DOB disclosed using “Facebook Graph API Reverse Engineering”

  1. Background information:
    Facebook uses graph API to fetch the user data from their system. To monitor the Facebook timeline API behaviour, I logged the request and response of the fb Android application in my system. And I found that Facebook graph timeline API is following some patter to fetch user post from their system. Using the pattern attacker can disclose the DOB of any user in Facebook.
  2. Facebook graph timeline API request and response:
Graph Timeline API request to get user timeline data
Graph Timeline API request body attributes
Graph Timeline post response body attributes
Graph Timeline API requestquery_params body attributes
Decoding above Base64 String
javascript snippets: To get date from numbers
Customised Node script result
See DOB information is not visible in this profile
Screenshot of FB DOB disclosure Web Application
Sry above one is a year old Screenshot :(
  1. 1st part: FB users birth year disclosed via FB Timeline profile source code “data attribute”
  2. 2nd part: My 2nd Facebook Bounty POC- “FB-Date of birth Disclosure

Please share your comments on this POC..

--

--

--

I am enthusiastic web developer, with reasonable knowledge in HTML5 Game development, Javascript and Web Threat

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Raja Sekar Durairaj

Raja Sekar Durairaj

I am enthusiastic web developer, with reasonable knowledge in HTML5 Game development, Javascript and Web Threat

More from Medium

Decentralized Webpack Configuration

Remove _id from Mongoexport JSON results

Item’s Hashtag Management under EVM

Explore DialogV3 in HarmonyOS