Hacker News new | past | comments | ask | show | jobs | submit login

I set my profile to private. I turned off "Public Search Results" and "Facebook Search Results" is set to "Only Friends".

If you're not logged in, my URL returns a 404: http://www.facebook.com/davetufts (or by ID: http://www.facebook.com/profile.php?id=603069147 )

Not a huge deal, because the graph page only shows my name and ID, but they are publicly accessible: http://graph.facebook.com/davetufts or http://graph.facebook.com/603069147

Appending /picture?type=large to your graph page works, too. Uh, oh...

I can see the following as a logged-in facebook user, which is identical to what the graph api returns: http://imgur.com/8y8hf.png

I'm not seeing a discrepancy here?

Like I said, the discrepancy is if you're NOT logged in.

I'm not seeing an issue here though -- that profile information was readily available in html (if you have a facebook cookie) and is now even more accessible via json.

In fact, the json api gives out less information than the html frontend (e.g. all 18 pages you currently follow).

Like he said, the discrepancy is when you are not logged in. I can see his info and his private profile pic although I don't even have a facebook account and the html version gives me a 404.

It's not a big deal, anyone could make a throwaway FB account and see the same data. The difference is almost immeasurable.

You don't think its a big deal that I can crawl FB to capture the names and pictures of people, regardless of their privacy settings?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
