Friday, 21 June 2013

facebook - 2 ways force your follower unfollow you

The first way is actually described at https://www.facebook.com/help/382751108453953/,

"If you don’t want a specific person to follow you, or you want to disconnect from a specific follower, you can block them at any time." 

So, you need to block him. https://www.facebook.com/help/168009843260943 teach users how to block someone.



Also, Facebook mentioned that:



So, 

1. If you turn off follow setting and then turn it back on, your followers will be restored.
2. If you deactivate and then reactivate account, your followers will be restored.

However, there's some conceptual missing here:

1.  If you block your follower and then unblock him, both following connection is cut off. That's means  you are no longer following him, and also, he/she no longer to following you. Because of security concerns,  re-block someone only allow after 48 hours.





For those who are curious why 48 hours restriction, this security concerns is: 
When user A block user B, then user B can't block user A. So every time user A want to visit user B profile, user A just unblock user B. that's why 48 hours restriction to minimize the stalking.



Is that's all?

No, it's not. there's one more way User A can force user B to unfollow him without blocking process:

The real story:

1. User A and user B is not friend. User B follow user A.

2. User A don't want user B follow him. But also, user A don't want to block user B. Seem like that's no official option to remove user B from following.



3. User A go to https://www.facebook.com/USER_B_USER_ID, click "Add Friend" option.




4. After Friend request sent, user A immediately click "Cancel request" option before user B able to notice the notification.






5. And now, the magic happen, user B is automatically unfollow user A, and vice vesa. Followers tab is gone.





Thursday, 13 June 2013

facebook series 1 - link, the underestimated timebomb

I've noticed the misbehaved /link type post quite a long time ago. Previously if i reached rate limit with /feed type post, i can use /link type post because it have higher rate limit compare with /feed. But now the rate limit of /feed type post has been increased, so seem like there's no obvious advantage of /link type post.

However, this misbehaved of /link type post have high potential lead to a new security vulnerability on future, if not now.

Currently there's already have 2 misbehaved I've noticed:

1. Bypass page to page posting restriction using API


Actually it shouldn't consider as a bug, because page admin is allow to post as page to page using https://www.facebook.com. However, it's not supposed to be done using Facebook Graph API.

Let's say you are the admin fanpage called "Iptv", so you want to post to fanpage "coca-cola".
The first step is get Page Access Token via /me/accounts API endpoint. (Put this Page Access Token inside Graph API explorer's access token field for test.)
Then you can't simply do http POST request to PAGE_ID/feed with message parameter, because you would get error message instead:



The solution is coming, if you post a 'link' type post, then you're able to bypass this restriction and post as page.




Open up coca-cola fanpage at https://www.facebook.com/cocacola, filter by Posts by Others, you can see post to coca-cola page as another page called 'Iptv' successfully:







2. Bypass fan page banned restriction to posting



This is not supposed to be happen even using https://www.facebook.com, not just API. 


Fan page admin banned the user, however, the user still can using Graph API to bypass this restriction to post link and custom its photo. The main cause is because of "link=" parameter.

The real story:


1. Page A admin block user B



2. User B using curl to posting: curl -vLk -F link=http://www.google.com/ -F message=ha --form "picture=http://i.stack.imgur.com/7J2xf.png" https://graph.facebook.com/PAGE_A_ID/feed?access_token=USER_ACCESS_TOKEN

3. Success post to page A. Able to see the post when filter by "Posts by Others" at https://www.facebook.com/pages/PAGE_A_NAME/PAGE_A_ID?filter=2





*I've already report the bug #2 to Facebook at https://developers.facebook.com/bugs/285031211633194