Social media | Thijs Broenink

Facebook is the first place you normally go when you need information about someone. But what many people I found out are not aware of is that it’s possible to look people up on Facebook by their mail address and phone number.

If someone is mailing you or left his email on a site somewhere, big chance you can find his name, profile picture, social connections (friends and family) and location by just searching for that email address, even when he’s using a pseudonym or nickname. Facebook makes doxing more easy than ever: you don’t even have to know the full name in order to get all his personal details. To do so, just go to Facebook.com, but instead of searching for a name, enter a phone number or email. The corresponding profile should show up now.

Some use cases: next time you have an unknown caller, just enter the number in Facebook and maybe you’ll find out who it is. Same thing if you want to know the person behind a forum profile but you only have one mail address. Or think about this: an advertisement on Marktplaats.nl / Ebay with a mobile phone number to contact the seller. You can easy verify if it’s legit now. There are many ways this can be an useful tool. I have found a few people myself by this, and people are always surprised when I know their full name and details after just getting one WhatsApp message.

How to disable this for your own profile?

Facebook placed annoying popups a while back to “ask” you to enter your number in order to “make your account more secure”. Great chance you fell for this and also entered your own mobile phone. If you did that, then probably everyone can find you as long as they have your number. Luckily it’s easy to disable. Edit your privacy settings on Facebook. Go to: Settings > Privacy > ‘Who can look me up?’ and change ‘phone number’ to ‘Friends’.

Here it’s also possible to (partly) disable lookup by your email address. I have set both to ‘Friends only’ as you can see above. It is always a good idea to check all the privacy settings to make sure you’re not sharing things you don’t want. I personally have set my profile as strict as possible, also for the things I’m posting. People should be careful with what they put on the public web, or at least be aware of what a stranger can see. It is most of the time more than they realize.

Yesterday I opened a news article someone shared on Facebook which brought me to the website below. Notice the message box on top saying: “A subscriber shared this article so you can read it for free. Want to read more? Sign up and read 5 articles per month for free.” Because someone shared the article on Facebook I can read it for free. That’s interesting, because there are only a few ways for this site to know it’s a shared article, and most of those ways are easy to spoof / manipulate. Are we able to read more articles for free that are not shared…?

How does it work?

I can think of two ways this site knows I’m viewing a shared article:

The link to the article is unique and specifically generated to be shared. By checking the unique part of the URL the website recognizes it as a free, shared article.
The website checks which site I’m coming from. If it’s from Facebook, that must mean someone shared the article.

It is not option one, which can be checked by just looking at the URL. The URL contains only the article’s number and title, so no uniquely generated part. It must be option two: it checks where I’m coming from. If it’s from facebook.com (or twitter.com or any other social media site) it shows the article for free. There is a second requirement. If I open a different article (also shared), I’m still required to sign up. It remembers whether I’ve already seen a free article and only shows the first one for free. Again two scenarios:

After I open the first article the website stores my IP inside a database. Every other link after that queries the database first. It only shows the full article if my IP is not in there yet.
After opening the first article it stores a cookie in my browser and the next time it checks if that cookie already exists. If it does, it’s not free and I must sign up first.

The first option, saving IP addresses inside a database, is regularly the best way to go because IPs are harder to manipulate than cookies. I could change my IP address temporary by using a proxy, VPN or similar, but that’s a lot of hassle for reading an article. A cookie on the other hand is fairly easy to edit or remove as it is stored locally. The IP based way, option one, has a major downside: only one device in a network can see one article. That’s not very ideal in schools, workplaces etc that have shared IPs, and it’s probably not what this news site wants. I checked it and they indeed placed a cookie called ‘socialread’ with the article’s number as value (in my case 1118069; I confirmed it in Firefox by rightclick, View Page Info, Security, View Cookies).

Is this a reliable method to let people read only one (shared) article?

In short: no. As said, cookies are easy to manipulate. I used Cookie Manager+ for this in Firefox. This addon makes it possible to change every cookie that’s set in your browser. I was able to change the cookie ‘socialread’ to a different article number. Or even easier: just disable cookies at all, that way the site can’t even save the cookie and surprisingly it’s still showing articles for free. The news site isn’t confirming whether the cookie is actually set or not. (I won’t get into detail on how to disable or change cookies, but I can assure you, it’s really easy). The other check, if we’re coming from Facebook, was a little bit harder to spoof (but still not hard). Of course, with the cookie check bypassed, it is already possible to see more than one shared article. But if I want to see a certain article on this news website, I have to look it up on Facebook first and find where it’s shared. Not the most efficient way. Easier would be to just always act like we’re coming directly from Facebook, even if we’re not, to unlock all articles. The news site checks our history by the Referer header inside each request. If you’re for example visiting youtube.com from reddit.com, a lot of info is sent to youtube.com, including the exact URL you’re coming from. That last information is stored inside a header called ‘Referer’ and that’s the header you want to change to facebook.com. A way to do this automatically is by (again) using a Firefox addon. I used Modify Headers for this, but there are many addons available that can spoof headers.

Other method

Social media isn’t the only trigger that makes the full text available, it’s also when coming from Google. They probably did this to get a higher ranking in Google (so-called SEO). Instead of setting the default Referer to facebook.com, set it to google.com. There is no need to disable or edit cookies now, because not only the first article is free: as long as you’re from Google the full article will be visible. With these two methods (Referer spoofed and cookies disabled), it is possible to bypass all checks and read everything on the website for free. If they want to make it more difficult to bypass, they should go for an IP address based solution instead of cookies. If that’s too strict (only one device in a network seeing one article for free), they should reconsider if viewing one shared article for free is a great idea at all, because as far as I know there is no other way to make this work without being able to easily bypass it. There is no Facebook API available that confirms if a visitor is coming from a shared post. A different approach could be to put a share button on every page that generates a unique link on click. That results in only unique links being free, and just copy-pasting the article URL in a Facebook post does not. And that’s not very ideal either. Do you have another solution? I’m happy to hear it. Put it in the comments below or contact me by social media on top of this page! Also, if you liked it, please share it on social media, and you’ll be able to read everything for free on my site afterwards ;D