Suck-O Time

Who's online


Now online:
  • 74 guests

Latest members:
  • ZZZ712
  • jonicarlisle980
  • helenaferro95579
  • ulrikewasinger7239
  • tammiecarswell61

Total members: 42080

 


Attack Of the Facebook Snatchers 2 PDF Print E-mail
Written by dnr   
Thursday, 29 July 2010 00:21

@FSLabsAdvisor wrote an interesting Tweet:

it turns out, by heading to https://www.facebook.com/directory, you can get a list of every searchable user on all of Facebook!

My first idea was simple: spider the lists, generate first-initial-last-name (and similar) lists, then hand them over to @Ithilgore to use in Nmap's awesome new bruteforce tool he's working on, Ncrack.

 

 

But as I thought more about it, and talked to other people, I realized that this is a scary privacy issue. I can find the name of pretty much every person on Facebook. Facebook helpfully informs you that "[a]nyone can opt out of appearing here by changing their Search privacy settings" -- but that doesn\'t help much anymore considering I already have them all (and you will too, when you download the torrent). Suckers!

Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :)

The lists

Which brings me to the next topic: the list! I wrote a quick Ruby script (which has since become a more involved Nmap Script that I haven't used for harvesting yet) that I used to download the full directory. I should warn you that it isn't exactly the most user friendly interface -- I wrote it for myself, primarily, I'm only linking to it for reference. I don't really suggest you try to recreate my spidering. It's a waste of several hundred gigs of bandwidth.

The results were spectacular. 171 million names (100 million unique). My original plan was to use this list to generate a list of the top usernames (based on first initial last name)...

Read more:

http://www.skullsecurity.org/blog/?p=887

Last Updated on Wednesday, 28 July 2010 22:49
 

Comments  

 
#2 where?firecracker 2011-02-18 03:26
where can you get torrent?
:-?
 
 
#1 RE: Attack Of the Facebook Snatchers 2p4inl0v3r 2010-08-01 13:26
i got the torrent :P woot woot ! lol
 

Sorry, but you have to be registered and logged in to post comments.