The blogosphere has often bemoaned the fact that Facebook provides no RSS feed or similar mechanism for accessing a user’s news feed or mini-feed (now combined with wall posts) outside of Facebook. Other feeds, such as the status updates of friends, are available in RSS via tokenized URLs. Many lifestreaming applications would certainly benefit from access to a user’s actual activity feed instead.
However, such access is not impossible. In browsing the code for the new Facebook layout, I noticed how much AJAX was used in handling the display of feed items on a user’s profile. A bit of analysis revealed that all of the feed items visible on the profile are available via AJAX. By posting the proper variables to a particular URL, you can get the feed items as HTML embedded within some JSON. I’m quite certain that a regex ninja could parse the results into a usable format.
So what’s the catch? Facebook protects against CSRF attacks by adding to forms a variable called “post_form_id” that contains a special hex string. That variable is required to pull off the aforementioned AJAX requests. A simple check of the source code on nearly any Facebook page will allow a user to find his or her current post_form_id (I say “current” without being certain how often it changes - I do know my current one has persisted across the last two sessions).
Now, post_form_id serves an extremely important purpose, and if a non-Facebook page could automatically access it, CSRF attacks would likely be quite simple. Still, I can imagine knowledgable geeks making use of this AJAX hack, if for nothing else than proof-of-concept tools.
To get a quick feel for how this works, check out a simple test page I whipped up. You’ll need your Facebook ID and your current post_form_id, and the page will forward you to either your entire recent feed or recent items posted by you.
By the way, an extra variable called max_time allows one to access past feed items as well. Another AJAX page (http://www.new.facebook.com/ajax/feed.php) gives access to the main news feed, though the format is quite different and I haven’t yet taken the time to explore it much. I do know it includes a time control as well.
Hopefully these tricks will let other developers build some interesting projects. All of the necessary URLs and applicable variables can be found buried in Facebook’s code, but I find the simplest way to discover them is to boot up Wireshark and take note of HTTP POSTs as you click various feed-related links.
source: theharmonyguy
Related Stuff
-
MooV: Using cutting edge Video phones and Software Video Phones - coupling all that with VoIP and empowering the disabled.
-
Moo Telecom: VoIP communications made easy - Ring anyway with the fun and ease of using a normal phone
-
TagR:Mobile Social Network with Real Time Locations Based services, and Ambience Intelligence, VoiP, IM, Skype, Googletalk, Mapping, Flickr, Events, Calendaring, Scheduling, SecondLife Support
-
ClearSMS : ClearSMS is a Web-based application that lets you send bulk SMS messages to your customers, contacts, or just about anyone.
-
Jajah:jah is a VoIP (Voice over IP) provider, founded by Austrians Roman Scharf and Daniel Mattes in 2005[1]. The Jajah headquarters are located in Mountain View, CA, USA, and Luxembourg. Jajah maintains a development centre in Israel.
-
Skype: It’s free to download and free to call other people on Skype. Skype the number one voice over ip software
- PrivatePhone: a free local phone number with voicemail and messages you can check online or from any phone.
Be the first ... |Add your comment.
Your Comment ...
Name (required)
Email (required, hidden)
Website