Home

Published

- 3 min read

OSINT - Enumerate Facebook User Profiles w/o login

RedTeaming Offensive Security Pentesting Cybersecurity
img of OSINT - Enumerate Facebook User Profiles w/o login

While doing OSINT recently, we stumbled across a way to enumerate Facebook Users - without being logged-in.

Facebook User Enum

Similar to a recently published quick&dirty method, how to download all Instagram photos using the Brower Console, we found a way to enumerate Facebook Profiles. Depending on the Privacy Settings of the inital profile, you don’t even need to be logged-in.

GraphQL API

Facebook uses the GraphQL API to communicate between Browser and Server. That means, we can easily read the data, just from the Console.

The Privacy Settings of the Users we’ll enumerate don’t matter. All we need is a profile that gives us access to content with Comments - many Facebook profiles can be accessed without even logging in into our own account.

However: When our initial profile has strict privacy settings, we may need to log in, or become friends with the user.

Step 1: Open a Profile

After opening a Facebook Profile that provides us access to at least some content with comments, we can start. This can be Gallery Images, Posts or even the Profile Picture / Background Picture (when other users have commented on it).

We need to press F12 in Firefox and open the Console tab. We also need to enable XHR and requests.

Then we’ll filter for GraphQL requests and responses. OSINT Facebook User Enum

It’s important to do this, before we start browsing for content. Now, we simply open for example a Gallery image of the user. While clicking through the content, we should see the GraphQL requests appear.

Step 2: Copy the Responses

We open one GraphQL request and click on the Response tab. On the right side, we also disable formatting, then simply select all (Ctrl+a) and copy & paste the content into an editor, like VSCode.

OSINT Facebook User Enum

Step 3: Look at the JSON

When we beautify on the response objects we see, it’s JSON - and it contains an array called Author.

OSINT Facebook User Enum

Step 4: Filter for Data

Once we got all request data saved to a file, we need to hop onto Bash. Using jq we can easily filter for subfields of author - it contains things like:

  • User ID
  • Comment Text
  • Profile Picture URL
  • Gender
  • Profile URL
  • Work Info
  • Shortname (Username)

OSINT Facebook User Enum

Step 5: Profit

As we can see, only with a few clicks we got all Commenter profile data. Without being a friend of any of the users, depending on privacy settings, even without being logged-in!

OSINT Facebook User Enum

Optional: Extract the Infos you need

We can easily adjust the commands and comfortably extract the data we want.

OSINT Facebook User Enum

That’s it

Facebook’s Privacy was never great, and it still isn’t. Make sure to review, what you want to share with the world. Assume, anything you post, becomes public information, independent of privacy promisses.

That’s it for now, happy hacking!