Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm surprised there isn't a column for people who are reading Hacker News.

This guy for example:

http://www.facebook.com/profile.php?=743264506




This is a neat trick and reminds me of MCI codes from the BBS days. Basically, for a lot of BBS software (and usually enabled by default) visitors to your BBS when posting in discussion threads could insert escape characters (like "%UN") which at runtime would be replaced with metadata related to the person viewing the post at that time.

So, if I were to post "%UN's mother was a hamster and father smelled of elderberries" as part of a thread when I viewed it it would say "gfodor's mother..." etc. You could have first name, last name, etc, so with some creative thinking you could post fairly convincing posts that would trick people into thinking you were actually legitimately mentioning them.

I can remember many posts filled with angry replies from random users who went off the deep end when seeing that some random person on the BBS was trash talking them personally. Oops.

Edit: And for the curious, the purpose of these codes was usually for people creating assets for the BBS. For example, when designing your home screen (an ANSI text file, basically), inserting the codes made it so the home screen would reflect information on the logged in user. Usually when enabled the interpolation happened anywhere, not just in user defined assets. (Of course as BBS software got more mature these types of pranks were not possible with default settings.)


My favorite BBS hack was that on some standard RA configs, unless explicitly turned off by the sysop, you could save received messages to disk even if you were just a normal user. This meant that you could send a message to yourself, i.e. 'del . /q /s' (or whatever zapped your dos disk, I can't really remember.), and then save it to 'c:\autoexec.bat' ...

Other fun things where nailbombs, small .zip files that would expand to multiple gigs. When you uploaded those to early RA systems the virus scanner would attempt to unpack them and quickly fill up the entire disk, causing the BBS to grind to a halt.

Kids these days have no idea what they missed :3


Kids these days improved on the old pranks: http://research.swtch.com/zip


Haha, oh wow, thanks for that :)


Something like this?

http://news.ycombinator.com/item?id=259458


Haha, my heart momentarily jumped out of my chest when I clicked that.


It's kinda scary to see your own facebook profile being posted on HN out of nowhere... =\


Just to set any minds at ease after the initial shock:

The link I posted is just a generic bad id link that ends up redirecting to your own Facebook profile if you are currently logged into Facebook. Anyone logged into Facebook will see their own profile.

The link joering2 posted OTOH is actually to my Facebook profile. But:

A) I don't really care (anything I put on my Facebook profile is assumed to be 1000% publically available information anyway).

B) Turnabout is fair play


I was confused at first because I use Facebook in a different browser, so it just gave me the login screen.


Interestingly, the string of numbers is a real user id. I presume it defaults to your own profile because facebook.com/profile.php goes to your own profile, and fb simply ignores the malformed parameters.


Nope, the trick is that he's skipping the "id=" part between the '?' and the user ID, so the param is not being passed properly and thus the link is processed as just 'profile.php' without params. The link https://www.facebook.com/profile.php?id=yaddayadda would work propperly.


Didn't know that one :)


Um, your goat is trying to eat your head or something.

That said, nice goat!


I don't want to sound gay or anything, but you're handsome... Oh and the guy who's neck your kissing looks okay too.


That's because you're being redirected back to your profile since the URL the parent posted is incorrect.


yeah, but why doesn't it respond with 404 as would be appropriate?


"You want to see a page we don't have? Let me show you some ads instead!"


Technically, a 404 page with ads on would be fine too ..


Most web sites don't 404 when fed unrecognized get params.


While that's true, I would kind of expect Facebook to do better than most sites. Oh, well.


Facebook tries to do whatever maximizes engagement. Technical correctness only matters when it serves that primary goal.


Some times a benefit can be indirect and hard to see immediately. Being "technical correct" reduces complexity, which again reduces costs down the road. For example, it makes it easier for third parties to integrate with your service, to name one benefit.

It may never be clear for each individual feature, but violations compound to form a mess of unpredictability. Facebook generally appears to me as being a company with a very strong engineering culture and so it surprises me a bit that they would let something like this slip. Maybe I'm just not seeing the whole picture and it is a clearly thought-out tradeoff and not simply negligence.


I use PHP every day. I understand how this happens. I've known about this particular trick for years.

... My heart still stopped.


or this one http://www.facebook.com/gmcbay


His username is his full name and its in his profile with his real email... thats not exactly noteworthy that you managed to find it.


Searching for '743264506' reveals that it is actually quite an old trick. And the poor chap whose facebook profile number it is doesn't seem to be a geek so he probably didn't invent it


What?

It isn't anyone's profile number. It's a random number in a broken profile URL.


https://www.facebook.com/profile.php?id=743264506


It's a coincidence that any profile exists with that number. It's meaningless too, you could use ANY number.


Sure you could. But do a google search on this one and compare it with a google search for a random number of similar length. Besides you can see from the search that it is this number that is used quite often with this trick


People have copied the URL, that's all. Similar URLs have also been copied.

What is your point?


I was just saying that it's interesting that this number has such a history. I didn't expect it. And from your first reply it seems you didn't either. It is a profile ID not a random number and it has been used multiple times for this exact trick


I'm also a programmer, and I know how it works but I got to admit you freaked me up for a while :-)


Funny thing is that when you try to post it on your facebook wall the preview shows your profile. But when somebody else clicks it it takes them to their profile


Previews on FB are loaded and processed in your own browser, and then results are uploaded to FB (to spare server load, I assume).


OK, that was disconcerting to click.


Lol


Oh you sneaky bastard!




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: