Seeking Facebook's iPhone app key

Dear Lazyweb, how do I get an OAuth token that impersonates Facebook's official app?

Why? Because I desire to post videos to my business's "page", and apparently "normal" apps can't do that. The official Facebook app has permissions that you apparently cannot give to yourself.

It used to be possible to impersonate the Facebook iPhone app when accessing it via the graph API by generating an OAuth token using that app's ID (6628568379) and secret (c1e620fa708a1d5696fb991c1bde5662).

After working for years, that token stopped working last week: now those sessions say "the user has changed the password", which is... a weird error. So I tried to regenerate it the way I had in the past, by loading this in a logged-in browser:

That ought to redirect to a URL with an access_token= on it, but now it says "does not look like a valid app ID."

So maybe the app ID of the current iPhone app is different? But "" suggests not.

And if I run the FB iPhone app through mitmproxy, I can't log in, so I can't sniff it. Maybe it's doing cert pinning. Who knows.

Any suggestions on how to re-crack this bastard?

Previously, previously.

Tags: , , , , , , ,

5 Responses:

  1. Fraz says:

    Using an android device, and Charles instead of mitmproxy has worked for me as recently as a few months ago.

  2. Chas. Owens says:

    The company I used to work for did lots of stuff that Facebook didn't want us to, so I got pretty used to reading through their roadmap looking for things that would break our hacks. If you peruse that page you may find something that was removed last week and find out what replaced it. Sorry I can't be of more help, but I am no longer paid to read that crap (and getting paid to do it is the only way I could bear it).

  3. jwz says:

    Hooray, apparently normal, non-FB-secretly-privileged apps can no longer read /me/feed or /friend's-uid/feed/. So unless I get access to these keys, works only with pages, not with my friends. This probably means I'll just stop reading my friends' Facebook posts entirely, and I'd rather not. Halp.

  4. Kaleberg says:

    You may have to fake a browser. I use Fake on the Mac, but that's probably just for weenies. Real hackers would use a headless browser like PhantomJS. There are maybe half a dozen of these on Github alone.

    I understand the desire to get more direct access. I used to do that to keep track of various sites, but web designers kept getting more and more clever. I eventually just gave up and moved up a level.

  • Previously