
Facebook Graph API robots.txt - knorby
http://graph.facebook.com/robots.txt
======
mitchellh
It appears you can put a period anywhere within the ID after the initial "/"
and it works:

<http://graph.facebook.com/robot.stxt>
<http://graph.facebook.com/r.o.b.o.t.s.t.x.t>

This guy's actual short-URL is "robotstxt."

~~~
sev
It's not just periods. They're filtering out certain characters [.,-]

hxxp://graph.facebook.com/-----r.-o....b....o-t-
s-t....x....t----....///////////___%%20%22/test/robots

will still output the same result as <http://graph.facebook.com/robotstxt>

~~~
theli0nheart
This is the sort of thing that leads to exploits.

------
geuis
I started playing with this new api today. My room mate and I spent an hour
with various privacy settings and it does not appear there is any way to
prevent your account from being accessed via this.

~~~
ryanjmo
That is because the info that is available at <http://graph.facebook.com/name>
is <= the info that is available at <http://facebook.com/name> . What part of
your account are you trying to stop from being accessed? This makes no sense.

~~~
davetufts
I set my profile to private. I turned off "Public Search Results" and
"Facebook Search Results" is set to "Only Friends".

If you're not logged in, my URL returns a 404:
<http://www.facebook.com/davetufts> (or by ID:
<http://www.facebook.com/profile.php?id=603069147> )

Not a huge deal, because the graph page only shows my name and ID, but they
are publicly accessible: <http://graph.facebook.com/davetufts> or
<http://graph.facebook.com/603069147>

~~~
fhars
Appending /picture?type=large to your graph page works, too. Uh, oh...

------
tszming
<http://graph.facebook.com/laden>

{ "error": { "type": "QueryParseException", "message": "Some of the aliases
you requested do not exist: laden" } }

------
oscardelben
I just realized that if you supply an access token you have access to even
more information for record.

~~~
CoryMathews
Seems that its only more info based on your account. Unless Im missing
something.

------
thedjpetersen
It will be interested if anyone ever does a dump of all the data availible

------
oscardelben
What's interesting is that you can put the id in the url and get their data
(example: <http://graph.facebook.com/677195182>).

I'm not entirely sure about what you could do with this data, but it's there,
for anyone to see.

------
jyothi
So bots get some non-standard file for robots.txt.

Guess no one at facebook has noticed the vulnerability exposed with pretty
usernames on facebook & ignoring "." in a different framework. (probably just
following gmail usernames.)

------
vark
also see: <http://graph.facebook.com/default.aspx>

~~~
tfh
and <http://graph.facebook.com/default.html>

~~~
luckygerbils
And <http://graph.facebook.com/.htaccess>

~~~
bruceboughton
Reminds me of Little Bobby Tables: <http://xkcd.com/327/>

------
dasrecht
so your name will be published out to the web?

you can set the userid as parameter and you get Mark Zuckerbergs Profile here
: <http://graph.facebook.com/4>

Then you can simple count up to infinite to get the other profiles. The API
has a Usage limit and blocks after a while

~~~
tfh
Anyone knows why they are skipping IDs? Why didn't he pick id=1?

~~~
oscardelben
Perhaps those were just tests, and databases use incremental index but don't
care if you delete a record.

