Professor Bagelwood

Facebook's "Honesty Box" App

14 posts in this topic

Everybody here already knows what Facebook is. The "Honesty Box" is basically a widget you can stick on your Facebook profile that lets people post things to you anonymously. Think of it as anonymous private messages to your account.

However, it doesn't forget who posted stuff. You can reply to the anonymous people, and they'll be able to respond again, and the messages can keep going back and forth like regular email or private messages. As such, I think it's just waiting to be cracked, and I'm surprised I haven't heard about anybody tracking down an anonymous poster.

Yes, you can use logic to narrow it down. Like, obviously if there's only one of your friends online and you basically see them make the post and it sounds like them and everything, then gee, yes, you win the prize, Sherlock. But I'm talking less about the common sense and social engineering ways to find out, and more about the nitty gritty server penetration type stuff. Has anybody heard anything, or does anybody have any theoretical ways for beating the system?

(Keep it hypothetical, cough. Just studying their system from a distance, right? It's research, and I'm curious and I'm sure you are too.)

0

Share this post


Link to post
Share on other sites

Possible solution? There are a few applications on facebook that you can add to your profile that allow linking to off-site images (super wall). If you throw an image on your facebook that points to something on a server where you have access to statistics, or the server itself, you could get information about the person that viewed your profile at (or around) the time that someone posted to your honesty box. This is just a theoretical, because I haven't tried it, but there may be something revealing in the referrer sent from facebook? Perhaps the user's ID #? Anyways, this could help narrow down exactly who posted "anonymously."

Edited by stderr
0

Share this post


Link to post
Share on other sites
Possible solution? There are a few applications on facebook that you can add to your profile that allow linking to off-site images (super wall). If you throw an image on your facebook that points to something on a server where you have access to statistics, or the server itself, you could get information about the person that viewed your profile at (or around) the time that someone posted to your honesty box. This is just a theoretical, because I haven't tried it, but there may be something revealing in the referrer sent from facebook? Perhaps the user's ID #? Anyways, this could help narrow down exactly who posted "anonymously."

I'm guessing facebook doesn't allow direct links, most likely the image is stored on facebook, or facebook has some code that sits between all images and the outside world to deter this sort of thing.

0

Share this post


Link to post
Share on other sites
Possible solution? There are a few applications on facebook that you can add to your profile that allow linking to off-site images (super wall). If you throw an image on your facebook that points to something on a server where you have access to statistics, or the server itself, you could get information about the person that viewed your profile at (or around) the time that someone posted to your honesty box. This is just a theoretical, because I haven't tried it, but there may be something revealing in the referrer sent from facebook? Perhaps the user's ID #? Anyways, this could help narrow down exactly who posted "anonymously."

I'm guessing facebook doesn't allow direct links, most likely the image is stored on facebook, or facebook has some code that sits between all images and the outside world to deter this sort of thing.

It doesn't store them on facebook, it goes directly to the link provided (at least with Super Wall). I didn't check to see what information is sent though.

0

Share this post


Link to post
Share on other sites

Would you be willing to traceroute the link and post the results?

Somehow this seems too easy, I'm guessing it goes through their server and then to facebook, or something similar.

If it does work... time to make a tracer.

0

Share this post


Link to post
Share on other sites
It doesn't store them on facebook, it goes directly to the link provided (at least with Super Wall). I didn't check to see what information is sent though.

When I developed an app with facebook, the development documentation stated that any images your server serves, facebook caches them and serves them from the facebook servers as to put less load on your servers.

Unless they have changed that VERY recently, it hasn't changed and thats how it works.

I don't know how superwall works, so you'd have to ask them how they do their stuff.

0

Share this post


Link to post
Share on other sites

I sent 2 HonestyBox messages to myself (I used 2 accounts) and the reply link (reply?id=_______) isn't relative to their profile... it was different for both messages. Then I checked my other FaceBook account to see if the Honesty Box on that account had any references to that ID number... and of course it didn't.

0

Share this post


Link to post
Share on other sites
It doesn't store them on facebook, it goes directly to the link provided (at least with Super Wall). I didn't check to see what information is sent though.

When I developed an app with facebook, the development documentation stated that any images your server serves, facebook caches them and serves them from the facebook servers as to put less load on your servers.

Unless they have changed that VERY recently, it hasn't changed and thats how it works.

I don't know how superwall works, so you'd have to ask them how they do their stuff.

Yeah, I wasn't looking at the return from visiting the profile. It looks like everything's cached into http://upload.facebook.com/application_proxy_image.php

My fault guys. I was receiving the request from directly after I posted my image, which is when it cached the image.

0

Share this post


Link to post
Share on other sites

Heh, it's all good. But that does put us back to square one. Just for giggles, lets make this more hollywood. You're working with Jack Bauar (hardy har har), and you've got to find out who posted a message on the Finnish ambassador's son's Honesty Box app or else he'll be kidnapped and so forth! Oh noez! So, how would you go about it?

(If you think you're too old for pretending, then you're just not any fun anymore. :P)

0

Share this post


Link to post
Share on other sites

Easiest way, get in touch with the Facebook legal guys. I'm sure they'd help.

0

Share this post


Link to post
Share on other sites
Easiest way, get in touch with the Facebook legal guys. I'm sure they'd help.

You mean with social engineering? Or just asking them?

0

Share this post


Link to post
Share on other sites

Without really looking at the technical side of this why not just reply to the message with nothing but the HTML link to a server where you can watch the logs. If the person goes through the trouble to sending you an anonymous message they would likely want to see your reply and click on the link. Anything other than this simple solution would probably involve a lot more thinking and tinkering and honestly I am not willing to waste time on facebook.

0

Share this post


Link to post
Share on other sites
Without really looking at the technical side of this why not just reply to the message with nothing but the HTML link to a server where you can watch the logs. If the person goes through the trouble to sending you an anonymous message they would likely want to see your reply and click on the link. Anything other than this simple solution would probably involve a lot more thinking and tinkering and honestly I am not willing to waste time on facebook.

Because the referral would be from your profile, not their's, this was already stated.

0

Share this post


Link to post
Share on other sites
Easiest way, get in touch with the Facebook legal guys. I'm sure they'd help.

Well, sure, but for the sake of my lovely hollywood hypothetical... they're all mysteriously gone all of a sudden. So you'll just have to use your network penetration skills.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now