Friendster Hacks

Notes on Friendster hacking. By hacking, it's more exploring than doing any harm. And I'm doing this partially to learn how to prevent problems with my own software.

The Gallery

If you do a search, you get to see all the possible parameters in the URL.

Distance: I think the maximum is 65536 (aka 2^16 - a common data type). Or it used to be. Now I'm not entirely sure. They might have noticed that I was running queries that were timing out after five minutes and put some validation on the data. When I did a distance of 66000 it would time out relatively quickly, whereas under 65536 it would take five minutes. For that matter smaller distanaces (eg 10,000 miles) were taking that long too -- though this probably depends on Friendster's load. Friendster should validate this value and put a maximum on it. Also Friendster should be logging slow queries. Heck, I'm smart enough to do that!

The minimum distance is 5 miles (good for privacy, as knowing everyone within 0 miles of you is scary). The distance must be an integer.

Age: no luck with negative ages, or 0-17.

Profile Depth: 4 is the max level. You can only get 2 using the interface. So you can search for the friends of the friends of the friends of your friends.

Distance and Canada: Doesn't work. Friendster should be embarrassed. I've got this info on my website for over a year and it only costs $100.

The real scoop would be guessing some variable names/parameters that they don't list on the interface.

Images 5969 l.jpg 29968 l.jpg 43239 l.jpg

Three images that I posted around the same time. The first directory (and maybe second too) have to do with the order in which I joined Friendster. So I might be on the second server (00 is the first one). 307810 is my ID. The next 8 digits I suspect are my picture-id. This means when I posted them Friendster had 96 million pictures, which seems high, so I suspect they started off at a higher number than zero (or have been deleting a lot of offensive pictures).

The last 4 or 5 digits, I suspect are randomly generated so you cannot guess an image name (for some measure of security).