facebook graph API security irregularities.

During the development of the mobile website I have gotten quite deep into the facebook graph API and the security there in.

When a user wants to use the darknothing services (mobile site, Chrome extension) they are asked to authenticate with facebook to allow darknothing various access rights.

I request publish_stream,offline_access,user_status,read_stream

This allows me to post on the users behalf when they aren’t logged into facebook. This bit is essential for the Google Chrome extension and it allows me to read the users news feed. This bit is essential for the mobile site as you can imagine. The user isn’t logging into facebook. They are logging into darknothing.

So. While it has been in development I have had access to it and I have been using it.

The interesting bit

The mobile website shows status’ and comments just like my ‘Most Recent’ news feed with these differences 

  • Some statuses that are visible to me on and (mobile website) and simply not there when I pull my news feed through the graph API. I imagine that this is down to a privacy setting somewhere where by all 3rd party applications are blocked - Kinda heavy handed!
  • Links and Statuses come through from applications that I have totally blocked on facebook itself (farmville etc). This would suggest that and are applications themselves running above the facebook engine and that my blocking of the other applications is just a setting I have made on the facebook application rather than on facebook itself… Either that or facebook doesn’t recognise application blocking through the graph API which given the above point about vanishing statuses seems a little odd.
  • Some statuses from friends are visible on facebook. The most recent one from a friend had 3 comments on it. Two from people I knew and one from a person I don’t know. Fair (and normal) enough but when I pull my news feed through the graph API the status comes through and shows only two comments. It’s like the other person just vanished. 
  • In one final very bizarre example. I have a friends status which, when viewed on facebook has no comments. I commented on it, clicked submit and it still showed no comments. BUT. When pulled through the graph API all 5 comments were visible to me. How about that!!!?

I would guess all of the above can be explained away by various security settings on individual accounts but what makes it interesting is that what is deemed viewable on facebook given a set of security settings and what deemed viewable through the API given the same set of rules don’t seem to sing a very cohesive tune….


  1. kruelintent posted this