Everyone who does OSINT is usually reliant on Facebook’s graph search tool for researching their subjects. Great sites like Whopostedwhat, Stalkscan, and Plessas Matrix are essential resources for allowing researchers to see what information is publicly available on Facebook about a particular person, place, or institution. The graph search’s most useful purpose for OSINT was that it allowed you to search not only for information that users had uploaded about themselves, but crucially all the other kinds of information that others had uploaded about them.
So imagine the horror when the world’s OSINT investigators woke up this morning to find that Facebook had disabled the graph search. Dozens of proven investigative methods disappeared in an instant. OSINT trainers would now have to spend the weekend re-writing all their courses, while many other investigations of all kinds would grind to a halt.
Henk van Ess did a brilliant job analysing the problem. It seems that Facebook have now amended the URLs used to conduct graph searches by changing the format, adding specific tokens into the URL, and then encoding the search in Base64. At time of writing it still isn’t exactly clear what the full extent of the changes are, or why Facebook made the changes. Is it part of their new concern about your privacy (but not really)?
For now at least, there is a workaround that Henk, and others have discovered. It relies on being able to conduct a graph search with a predictable URL rather than an encoded token in a manner similar to before. For example, the previous URL to search for photos that someone had been tagged in would be:
https://www.facebook.com/search/USERID/photos-tagged
This no longer works, but currently it is possible to switch to the mobile version of Facebook by replacing ‘www‘ with ‘mtouch‘ and ‘search‘ with ‘graphsearch‘. Results are presented in the Facebook mobile format rather than the usual desktop version. A new URL for the tagged photo search would like this:
https://mtouch.facebook.com/graphsearch/USERID/photos-tagged
Stalkscan and WhoPostedWhat have now been updated to reflect the changes and are working again. I recommend Plessas Matrix for looking at how to construct the kind of search URLs that you need.
How long will this fix last for? The decision to encode the standard graph search URLs is obviously a planned decision by Facebook and it’s probably best to assume that it still works in the mobile format simply because Facebook haven’t implemented the change yet rather than because they don’t want to. Enjoy it while it lasts!
UPDATE – 8th June. Looks like the workaround no longer functions. Facebook appear to have made the same changes to the mobile graph search URLs as it did to the regular URLs. RIP graph search (for now at least).