De-anonymizing Facebook’s app-scoped ids

Facebook has taken plenty of criticism for privacy problems over the years, and it’s invested plenty of resources in responding. One specific problem early on was that third party apps could combine their data to create deeper user profiles for tracking and analysis. If one app couldn’t get permission to see a Facebook user’s friends, for example, it might quietly partner with another app that did instead of trying harder to get official permission.

Facebook fixed this in their v2.0 API by giving each app its own set of app-scoped user ids. For example, originally Farmville and Blendr got the same user id for me – 212038 – but in the v2.0 API, they each got their own unique user id. This prevented them from joining their user databases easily.

Ben, Aaron, and I recently came up with a loophole. Facebook offers “evergreen” URLs that return a user’s profile picture: https://www.facebook.com/profile.php?id=[ID]. These work with app-scoped ids as well as usernames and global ids. Interestingly, for a given user, they redirect to the exact same final image URL, regardless of the id you use. Continue reading