Tuesday, September 15, 2009

Facebook REST API: The hacker's way

You will encounter serious problem if you'd like to create desktop app having full access to Facebook API. Reason? Just try to authenticate...
There is no way to do this for security reasons. Either you can wait for Facebook Connect for Mobile/Iphone, or you can use browser based authentication as it currently exists.
You are in much worse situation if you do cross platform development, because Facebook Connect does not work with Linux. But there's solution:

We are going to authenticate without browser or Facebook Connect. Just plain terminal version :)

The following code fragments are Ruby, it's very simple to create similar in C++.
Facebook REST requests have special parameters, they are described in detail in FB API documentation.

Code for request:

def request(params, secret_key = API_SECRET, secure = TRUE)
  api_url = URI.parse("#{(secure ? 'https' : 'http')}://#{API_PATH}")
  unless params.has_key?('method')
    raise "'method' is required for making a request."
  params['api_key'] = APP_KEY
  params['call_id'] = Time.new.to_f.to_s
  params['v'] = '1.0'
  params['format'] = 'xml'
  params_str = params.sort.map! { |p| "#{p[0]}=#{p[1]}" }.join
  params['sig'] = Digest::MD5.hexdigest(params_str + secret_key)
  req = Net::HTTP::Post.new(api_url.path)
  connection = Net::HTTP.new(api_url.host, api_url.port)
  if api_url.scheme == 'https'
    connection.use_ssl = true
    connection.verify_mode = OpenSSL::SSL::VERIFY_NONE

Get first token just like this:
token_xml = XmlSimple.xml_in request( 'method' => 'facebook.auth.createToken')
auth_token = token_xml['content']

Then open a web browser. Our browser is called CURL and it supports cookies. Great.

You must pass special 'lsd' parameter to POST, look for it in your cookie file when you visit facebook.com/login.php.

def web_login(auth_token)
  get_session(auth_token) #visit login.php :)
  lsd = get_cookie_data("lsd")
  exec("curl -L -b #{COOKIE_FILE} -c #{COOKIE_FILE} -A \"#{BROWSER}\" \
    -d \"?auth_token=#{auth_token}&api_key=#{APP_KEY}&lsd=#{lsd}& \
    email=#{URI.encode(@email)}&pass=#{URI.encode(@password)}\" \
    https://login.facebook.com/login.php > #{TOKEN_FILE}" ) if fork == nil
"get_token" parses TOKEN_FILE. This is html file redirecting  us to homepage. It contains... the second token! 

def get_token
  xml = XmlSimple.xml_in(TOKEN_FILE)
  content = xml["head"][0]["meta"][0]["content"]
  File.delete(TOKEN_FILE) if File.exists?(TOKEN_FILE)
It's time to get session parameters.
session_xml = XmlSimple.xml_in request({ 'method' => 'facebook.auth.getSession', 'auth_token' => session_auth_token})
@uid = session_xml['uid'][0]
@secret = session_xml['secret'][0]
@session_key = session_xml['session_key'][0]
Then you're ready to make authorized requests. Overwrite you old secret with @secret and use your session_key.
def authorized_request(params)
  params['session_key'] = @session_key
  request(params, @secret)
Now gates to Facebook are wide open.

No comments:

Post a Comment