The other day, I wrote a blog post (in Swedish), where I described hot to fetch all your friends Facebook statuses as RSS. At the time, I was convinced that you no longer could get an RSS feed containing your own, personal Facebook statuses. So I wrote the post as a way to accomplish that feed and suggested that people ask a friend for their ”friend feed” or create a fake friend in order to pick up you own statuses via RSS.
After that, many people has contacted med to tell me that they still are able to get their personal RSS feed from Facebook, but others have just like me found that the old RSS feed URL redirects and doesn’t work anymore. However, with a lot of help from my friend Christian Bolstad (at kracked.com and iPhone24.se), I got it to work, and in the process I happened to stumble over yet another privacy glitch by Facebook:
If you use your personal RSS feed, and thereby (like I have been doing) expose the URL, anybody can fetch all your friends Facebook updates regardless of their security settings within Facebook. You can even use Google to find RSS feeds for friends’ Facebook statuses.
With this in mind, I still find it worth while to write a guide about it. I have warned my Facebook friends about it, and hope that most of them are transparent enough to stick with me.
Step one – reset your Facebook privacy settings to ”recommended”.
The first thing you need to do is to reset your privacy settings within Facebook to ”recommended”.
• Select Privacy Settings from the Account menu at the top far right of the Facebook menu bar.
If the settings for Facebook Sharing looks anything like in the image below, you probably haven’t made any customizations to the privacy settings. If you have done some changes, click the Recommended tab and then the button saying Apply these settings.
Now, if you did need to reset the recommended settings, you might want to wait for a while, log out of Facebook, take a quick stroll, make a cup of coffee or maybe even do some work. Facebook has a huge server cluster, and we want these changes to propagate through them.
Anyway. It’s important to log out of Facebook before the third step, so you might just do it immediately after applying the new settings.
If you didn’t change anyting you can go right on to step two without a seconds pause.
Step two – find your Facebook ID and RSS key
Now we’re off to find one of the two RSS feeds that Facebook still lets us use. I’d recommend the Friend’s notes RSS feed since we’ll talk about this later. (There is also a feed containing all your friends notification, i.e. Jill Johnson liked your status, John Doe commented on Jill Johnssons status…)
• Start with logging in to Facebook again.
• Go to www.facebook.com/notes.php?friends (it might take forever to load, it does for me most of the time). This page contains all your friend’s notes. Look for the box that looks something like the one in the image to the right. It contains an RSS icon and the link My Friends’ Notes.
• Click on the RSS link at the top right side of the content area, pictured on the right.
You are now looking at an RSS feed containing your friends’ notes on Facebook. What we want to do is use two values from the URL. The Facebook ID (a numeric value) value and the key value (which is a mixed alphanumeric value). The values below are fake values that I made up.
http://www.facebook.com/feeds/friends_notes.php?id=123456789&key=a9b8c7d6f5&format=rss20
However. We want the URL to our
• Make a note of your ID and Key values.
• Copy the URL below to a new browser tab or window, and replace the fake values in it with your own values.
http://www.facebook.com/feeds/status.php?id=123456789&viewer=123456789&key=a9b8c7d6f5&format=rss20
• Replace both the id and viewer values with your Facebook ID as found in the first URL above and then replace the key value with your own secret key value as found in the first URL.
Now you’re set. If the URL doesn’t produce a feed, check that your security settings are set to Recommended and that you haven’t copied anything wrong. If it still doesn’t work, try logging out from Facebook and do some more work for a while before logging in and trying again.
When the feed is activated, you don’t need to be logged in to Facebook to use it, and you can use it as an RSS feed for you blog, or in the Lifestream extension or even for an alternative way of updating Twitter.
So how is this an privacy issue for Facebook?
As mentioned above, I regard the use of the ID and key values in the feed as an privacy issue, and the reason for that is that Facebook, although secretive, actually has a few other feeds, that use the exact same values. One of the most interesting ones are the feed displaying all your friends’ Facebook updates.
Yes it’s true. There actually is such a feed, and it displays all your friends’ Facebook updates regardless of their security settings. Rather wicked, and I promise you that most of my more secretive friends (or should I call them privacy aware?) blew a few fuses when they realized that I could collect all their updates via RSS and do anyting I wanted with the data.
The URL looks like this:
http://www.facebook.com/feeds/friends_status.php?id=123456789&key=a9b8c7d6f5&format=rss20 (The values are once again fake values, since I don’t want to piss off my friends.)
The security issue is the fact that the id and key values are exactly the same as in the URL for your own RSS feed (and for all other feeds used for Facebook RSS).
Now I’m all for transparency. I thrive on transparency, and the only reason I have been looking for these feeds is that I want to share my Facebook statuses to the world (here on my blog and in my lifestream and maybe in other places as well). If Facebook had made it easier for me to find it, I wouldn’t have given this a second thought. But the way that Facebook are hiding the feeds, and the way the URLs are formated opens up a vast privacy issue for people that aren’t as transparent as I am and might have cause to have stronger locks on their Facebook life.
The security risk could easily be removed if Facebook implemented open feeds, that you could turn on or off in the security settings, with a URL that looked like www.facebook.com/nikke/feed/personal instead of sending those secret key values out for anyone to see.
Facebook has some measures in place for protection
As I warned my Facebook friends that I was writing this post, someone warned med that the biggest privacy threat to Facebook was users like me who can’t stay away from letting everything out in the open. He also feared that the only measure Facebook would take was shutting the feeds down. Now that would be a pity.
But Facebook actually has taken some precautions with the feeds.
The first is that they have made it a bit harder to spider the Facebook feed. You can’t do it with a simple curl command. You need to masquerade as a browser or feed reader, which is very easy to do.
The second is that even if you click on the RSS icon on your blog after implementing the feed, you are redirected from the feed address to a page that requires you to be logged in. It seems that they do this by looking at the referal and if it isn’t empty you are redirected to http://www.facebook.com/minifeed.php?status&id=123456789 which in turn redirects you to http://www.facebook.com/nikke?v=feed This is good, but I still find it a bit awkward. It’s security by obscurity…
The third is that feeds seem to be turned off whenever you change your security settings. In my case you can easily pick up all my friends statuses if you have the address to my personal feed, but that doesn’t apply to everyone. I know that since I have googled these URLs. Try it yourself:
That last search produces 6,590 feeds full of status updates by people that just might think that their Facebook statuses are visible only to their Facebook friends and in some cases only for a select group of Facebook friends. Imagine if someone started collecting these feeds?
I hope that Facebook will rethink the way they are hiding these hidden feeds, and that they will reformat them not to expose the key value, or better still by using different key values for different feeds. How long will it take until someone cracks the way to create the key value?
Do you agree or disagree? The comment form is open for discussion.
