How to hack a facebook id without any software
Hacker Reveals How to Hack Any Facebook Account
Mar 08, 2016Swati Khandelwal
Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find — how to hack Facebook account, but an Indian hacker just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Video Demonstration
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
Share
Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on TelegramSHARE
Account password Reset, Bug Bounty Program, Facebook security, Hacking Facebook account, hacking news, How to Hack Facebook
How to Hack Facebook Account Just by Knowing Phone Number
Jun 15, 2016Swati Khandelwal
Hacking Facebook account is one of the major queries on the Internet today.
It's hard to find — how to hack Facebook account or facebook messenger, but researchers found a way that can allow someone to hack Facebook account passwords with only the target's phone number and some resources.
Yes, your Facebook profile can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Hackers with resources to exploit SS7 network can hack your Facebook login and all they need is your phone number.
The weaknesses in the part of global telecom network SS7 that not only let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale but also let them hijack social media accounts to which you have provided your phone number.
SS7 or Signalling System Number 7 is a cell phone signaling protocol that is being used by more than 800 telecommunication operators worldwide to exchange information with one another, cross-carrier billing, enabling roaming, and other features.
However, an issue with the SS7 network is that it trusts text messages sent over it regardless of their origin. So, malicious hackers could trick SS7 into diverting text messages as well as calls to their own devices.
All they need is the target's phone number and some details of the target's device to initiate the silent snooping.
The researchers from Positive Technologies, who recently showed how they could hijack WhatsApp and Telegram accounts, now gave the demonstration of the Facebook hack using similar tricks, Forbes reported.
SS7 has long been known to be vulnerable, despite the most advanced encryption used by cellular networks. The designing flaws in SS7 have been in circulation since 2014 when the team of researchers at German Security Research Labs alerted the world to it.
Here's How to Hack Any Facebook Account:
The attacker first needs to click on the "Forgot account?" link on the Facebook.com homepage to reset your password.
Now, when asked for a phone number or email address linked to the target account, the hacker needs to provide the legitimate phone number.
The attacker then diverts the SMS containing a one-time passcode (OTP) to their own computer or phone, and can gain access to the target's Facebook account.
The issue affects all Facebook users who have registered a phone number with Facebook and have authorized Facebook Texts.
Besides Facebook, researchers' work shows that any service, including Gmail and Twitter, that uses SMS to verify its user accounts has left open doors for hackers to target its customers.
Although the network operators are unable to patch the hole sometime soon, there is little the smartphone users can do.
- Do not link your phone number to social media sites, rather rely solely on emails to recover your Facebook or other social media accounts.
- Use two-factor authentication that does not use SMS texts for receiving codes.
- Use communication apps that offer "end-to-end encryption" to encrypt your data before it leaves your smartphone over your phone's standard calling feature.
However, the important thing to note is that the issue has actually nothing to do with Facebook security or other website's security, instead it is the weakness in the telecom network.
"Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people," Facebook spokesperson told The Hacker News.
"As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings. Doing this will disable recovery via SMS on your account so even if someone has your phone number, they'll still need your password to access your account."
Update: If you think this technique is old and can not be used to hack your social media, bank or any online accounts, then you are mistaken. A real-world SS7 attack has been spotted this month when some unknown hackers exploited the design flaws in the Signaling System 7 (SS7) to drain victims' bank accounts.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
Share
Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on TelegramSHARE
Facebook account hacking, Facebook hacking, gmail hacking, hacking news, How to Hack Facebook, interception, Signaling System 7, sms hacking, SS7, SS7 Protocol, twitter hacking
How to hack and crack someone's Facebook password with a set of ways and how to protect it
As one of the major social networks, Facebook plays an important role in the daily lives of its users. Through Facebook, people like to share their photos in the news feed, post the day's events, and keep in touch with their friends and family.
If you want to monitor Facebook content or hack someone's account, you've come to the right place. Here we will explain how you can hack a Facebook account. Check Learn how hackers hack into Facebook accounts and how to protect yourself. nine0003
This article explains how to hack Facebook account and how to spy on Messenger instantly in a simple way. These tricks have been working for a long time and have helped many people hack FB accounts. In order to hack any account, you just need to know some friends that on the Facebook account you need to hack. We got advice from ethical hackers on Facebook and created this guide and we only use these steps to hack someone's account or even your Facebook friends if it's about Ethical Hacking (Just for learning or your friend's account was hacked) . Please do not abuse this manual.
By following this method, you can hack Facebook account and log into Facebook Messenger through it, and in the latest update, we mentioned mobile apps to help you hack Facebook account, you should try.
Meanwhile, you can check the topic How to hack WiFi password too.
Before proceeding with the Facebook account hacking steps, click on any of the following procedures to solve your problem:
- Delete Facebook account - to delete your Facebook account.
- facebook account recovery - forgot password
- Report to Facebook - Account hacked.
How to hack Facebook account (quick answer)
- Open Facebook.com and click forgot password
- Click "You no longer have access"
- Enter a new email ID.
- Contact a trusted person for help. nine0020
The following is a detailed explanation:
Method 1: Steps to hack Facebook account immediately using "Forgot Password":
In this method, if you know some details about the Facebook account user, you can easily hack their account record. So not only will you be able to access your accounts, but the Facebook account user will not be able to access their accounts again.
Follow the instructions below to learn how to hack someone's Facebook using this method. nine0003
Here are the steps to follow to access someone's Facebook account within minutes. Follow the steps below and if that doesn't work, just follow the methods below which will lead you to other great steps to hack Fb account and even get Facebook account password using these apps.
Step 1: Click Forgot Password
To hack your Facebook account, go to facebook.com and click on Forgot Password? " nine0003
Step 2: Search for "I don't have it anymore Access" At the bottom of the password reset, you'll find "Do you no longer have access to this?" Click on it.
distinct: How to hack someone's Instagram (How to protect your account in 2019year)
Step 4: Ask friends
Try to answer the security questions if you know the user well, and if your answer is correct, you will have to wait 24 hours to access the user's Facebook account.
If you don't know the user well, you can select the option "Recover account with friends" and select three friends for whom you want to receive a security code.
Ask your trusted contacts for help, now your friends need to help you with this account, to log into the account, you need to get the secret code from three people that Facebook shows in this step, try to get the code from these people to hack this account and after getting on the icons press Continue .
Within 24 hours you will receive a new password and your account will be hacked. You can use this method to unlock your account if you forgot your password and nothing worked, or for some good reason hack into someone's account that lost their account and not use it on a Facebook account for any other purposes.
notification Although this method is effective, it has a significant drawback. The Facebook user whose account you want to hack will receive an email notification as soon as they try to reset their password.
However, if the user doesn't check their email often, that's fine. nine0003
Method 2: crack Facebook password
There are many ways to crack Facebook password, you can just look at people's computer while typing Facebook password, just kidding, here are some great ways to crack Facebook profile password.
Use applications to store what your friend writes on his computer, here is the best free keylogger option.
You can also use the Keystroke Recorder for devices like Keilama, which will actually store the Facebook password that the person enters. nine0003
A keylogger is an application that can be used to record keystrokes on a specific device. All you have to do is install the keylogger on the target device or on your device. If you have installed it on the target device, be sure to do so without the knowledge of the user. If you have installed it on your device, you will have to convince the user to log into their account using your device.
The keylogger runs in the background and records all keystrokes.
When the user enters their username and password, you can see it later in the keylogger. In this way, you will know the user's registration data as soon as he logs into his Facebook account using your device. nine0003
It would be better if you installed the application on your device, because there is a chance that the user will know that it is on their device and it will be deleted.
Method 3: Hack Facebook Account Online Using Face Geek
FaceGeek is another way to hack Facebook account. You can go to Face-geek.com and write the user id of the Facebook account you want to hack. Follow the steps below to hack Facebook account using Face-geek.com. nine0003
Visit the face-geek.com account and enter the Facebook ID of the target Facebook account. You will receive your account password within 5 minutes.
Special : How to hack and hack whatsapp account and how to protect it.
Method 4: How to hack Facebook with Sam Hacker
Hacking a Facebook profile with Sam Hacker only takes 5 minutes, you can use Sam Hacker to hack a Facebook account just by using the user ID of the Facebook account you want hack.
You can only register for this account using your email ID. nine0003
Follow these steps to hack a Facebook account using Sam Hacker.
- Visit the Sam Hacker website (samhacker.com), the official site for hacking Facebook accounts.
- Enter the email ID of the account you want to hack.
- Within XNUMX minutes, you will receive a hack report and can easily log into the Facebook account you want to hack.
Method 5: Hack Facebook with facebookhackerp
facebookhackerp.com This is also a website that you can go to and just click on account hack and then you will be redirected to a page where you need to enter someone's Facebook profile you want to hack and click to Enter . Then follow the instructions, the person's account will be hacked and you will get their Facebook password.
Method 6: Using special apps to hack Facebook
Hacking your Facebook account with spy apps is the safest and most effective method.
While there are many websites that claim to be the best at hacking Facebook or that you only need to enter the target's email ID, it actually doesn't work at all. The email you enter there becomes part of their database and nothing else happens. Apart from being a waste of time, these websites can also steal your information. nine0003
Among all similar Facebook account hack apps on the market, this is the list of Best Android and iOS spy apps. It is the best choice for you to hack Facebook account.
Method 7: Phishing to Hack Facebook Account
Phishing is a popular way to hack Facebook accounts. It is very easy for a person with basic technical knowledge to create a phishing page. All you have to do is create a duplicate login page that looks exactly like the Facebook login page. When a Facebook user enters their username and password, they will not be able to log in, but you will be able to retrieve their username and password. It is also one of the safest methods since you don't have to take any risks here.
nine0003
However, for this you will need to purchase hosting and a domain name. Once you've done that, it's easy to create a similar login page if you have a little knowledge of web design. You just need to trick the victim into entering login details on your page. Once he does, the details will be sent to your email and you will be able to access his account.
Method 8: Using social engineering to hack a Facebook profile
You don't need any special hacking skills if you want to hack a Facebook profile using Social Engineering. Every other account on the web, including Facebook, uses some questions as security questions in case the user needs to change their account password. Some of the most frequently asked questions include "What is your nickname?" , "Where is your hometown?" , etc. If you know the account owner well, you can try to answer these questions and gain access to their Facebook account. nine0003
Many Facebook users use their phone number, their partner's name, or even their date of birth as their password.
You can try to use it if you know it well. Although this method may seem very simple, it is useless if you do not know anything about the account holder.
Method 9: Use Facebook Password Extractor
Facebook Password Extractor is an application designed to hack Facebook account through Windows. There is no need for physical access to the target phone in order to use this method to hack a user's Facebook account. You can learn how to hack Facebook profile using Facebook Password Extractor as follows. nine0003
Step 1: Download Facebook Password Extractor on your Windows PC from the official website.
Step 2: Install the extractor using the installation wizard.
Step 3: Launch the application and you will see the username and password listed in it.
However, in order for this method to work, you need to install the application on the target device, which is not an easy task since it is a large application that the user is most likely to notice.
nine0003
Method 10: By stealing Facebook cookies
This method is a bit tricky as you will need access to the target device if you are not a professional hacker. But, before we get into the details on how to do this, let's understand what cookies are and how this method can work. Cookies are basically packets of data stored in the device's memory. You must have noticed that when you first view a website in your browser, it takes longer to open. This is related to cookies. nine0003
Now back to our topic. The cookies we request here are temporary and are automatically deleted as soon as you close your browser. Therefore, we will need to do this before the user closes the browser.
When a user logs into their account, wait for them to close the tab. Once you do that, you should try to trick him into giving you his device to search for something. Once you get his device, you will need to steal the cookies from his browser. Now, to do this, you will need to run the following code.
nine0003
javascript:Aalert(document.cookie)
This will give you a set of cookies. Now login to your account and do the same. You will receive a new set of cookies. Match what you have with the previous one and you will see which ones are on Facebook. Steal this set of cookies and you can use them at any time to log into your user account.
The only problem with this method is that every time the user logs out of their account, you are also logged out. To gain access after that, you will need to complete the entire task again. nine0003
Other ways to hack someone's Facebook account:
If these hack methods don't work, try other online hack apps to hack your friends' Facebook accounts, check out the following online apps to hack Facebook account, by at least one of them actually works.
1. Wonder howto (null-byte.wonderhowto.com/how-to/4-ways-crack-facebook-password-protection) - This site provides you detailed content on how to hack facebook account and how to do it make it safe.
nine0003
2. Hack Facebook (hack-facebook.com) - Try this Facebook hack site, you will get the Facebook account you want to hack and start hacking and it might work.
3. Hyperhacker (Hyperhacker.com) is a Facebook hacking expert who has hacked over 1000 Facebook accounts and won multiple Boug Awards.
4. SPYZIE (spyzie.com) is the latest tool on the market to hack your Facebook account.
How to protect your Facebook account from hackers:
- Do not use the same email ID as other social networks.
- Make your security questions even harder so no one can predict them.
- You must change your Facebook password at least once every two months.
- Keep your passwords safe, use a password manager.
If you have trouble hacking Facebook Just comment.
Source
How hackers can hack into your Facebook account
Read for all the possible ways to hack into your Facebook account .
Starting from password guessing and phishing methods to more complex activities.
"How to hack Facebook?" - This question is one of the most popular search queries on the Internet. Many of us have little idea how to hack someone's Facebook account, because it is a very difficult task, at least for beginners. nine0003
There are many websites on the Internet where you can find a huge number of tools and methods to hack into your "Facebook" account. But most of them are fake, and the rest need a thorough technical check. Please beware of hacking tools "Facebook" as most of these tools will actually hack your account instead of another target user's account.
If hackers (fraudsters) can break into an account in "Facebook" , which means they have found an account security vulnerability and have a tool to access it. They can sell it on the black market and make big money.
Or use it yourself and make money selling information. In that case, why would scammers offer their method online for free? Why should they create a tool, take risks, waste time and resources, and put it on the Internet absolutely free of charge? They don't get anything in return by posting it online, do they? nine0003
So, with 100% certainty, the free hacking tools you see on the Internet are all fake. Don't waste your precious time searching for such tools.
But if all methods of hacking "Facebook" need to be tested, then why do many people become victims of hacking their own account?
There are several account hacking methods, one of which is phishing, which can be easily done using resources available on the Internet. We already wrote about such methods earlier in our article "What is phishing, general idea and examples" .
It is definitely a cybercrime to sell account hacks and the information obtained from the hack on the black market or to any third party.
But there is a way that you can make money ethically and completely legally by hacking "Facebook" . This method is called program "Bug Bounty" .
"Bug Bounty" program is a program where whitehat hackers try to find bugs and vulnerabilities "Facebook" . And in accordance with a responsible disclosure policy, they report the threats they find to the security service "Facebook" . The security service quickly analyzes and fixes the found errors and vulnerabilities, and then rewards the hacker for the work done.
We will look at the types of vulnerabilities in the social network "Facebook" , fixed thanks to the program "Bug Bounty" , which could allow a fraudster to hack into any account "Facebook" . Please note that all the vulnerabilities listed here have been fixed by the "Facebook" programming team and are no longer working.
But you will get a general idea of how hackers can break into any account "Facebook" .
Hack any
"Facebook" account via SMSThis vulnerability could allow a user to quickly hijack a "Facebook" account in seconds. All you need is an active mobile phone number. This shortcoming existed in the last stage of number verification, when the user confirms his mobile phone number. nine0003
It is very easy to exploit this vulnerability. You must send a message in the following format.
"FBOOK to 32665" (for US users)
You will receive a short code in response. Then make a request to the server "Facebook" , attaching the target user ID, the resulting shortcode, and a few other parameters. That's all the magic.
Sample request
Post /ajax/settings/mobile/confirm_phone.
php
Host: www.facebook.com
profile_id=&code=&other_boring_parameters
Your mobile number will now be attached to the user account (whose target id you sent) after receiving a response from the server "Facebook" . You can then send a password change request with your mobile phone number and easily hack into the current target account.
This vulnerability was discovered by a computer scientist named Jack in 2013. Security Service "Facebook" fixed the problem fairly quickly and rewarded him with a $20,000 bonus as part of their bonus program.
Hack any account
"Facebook" using brute-force attacks This is exactly what user Anand did in 2016. To hack the account, he used the brute force method - a complete enumeration of all possible solutions to the problem. For which he was rewarded with the service "Facebook" $15,000 cash bonus as part of the "Bug Bounty" program .
This flaw was found in the account password recovery endpoint at "Facebook" . Whenever a user forgets their password, they can change it using this option by providing their mobile phone number or email address.
A six-digit code will be sent to the user to verify that the request was made by the account owner. The user can then change their password by entering a 6-digit verification code. nine0003
It is almost impossible to go through all the six-digit code options and use them to verify account access rights, since the "Facebook" server gives you only 10 to 12 attempts to enter different combinations of the verification code. The security service "Facebook" will then temporarily lock the account to reset the password.
Anand found that subdomains "mbasic.facebook.com" and "beta.facebook.com" failed method 9 verification0047 "brute force" . This allows you to try all possible options for a six-digit code and be able to change your account.
Sample request
Post /recover/as/code/
Host: mbasic.facebook.com
n=<6>&other_boring_parameters
Trying to enumerate all possible variants of the parameter3 (n4 = 6) new password for any user "Facebook" . This can be achieved with any password guessing tool available on the Internet. nine0003
Facebook Technical Services fixed this vulnerability by setting a limit on the number of attempts that can be made on the code reset endpoint.
Hack any account
"Facebook" using password guessing attacks - variant 2Arun found the same vulnerability to the brute force method , but in a different subdomain "Facebook" (lookaside.facebook .com), for which under the program "Bug Bounty" received a $10,000 reward from "Facebook" in 2016.
Initially Facebook security rejected the bug, saying they couldn't reproduce it.
The vulnerability was reported only a few weeks later, and the bug fix was implemented as soon as the "Facebook" security service was able to reproduce the problem.
An example request looks like this:
Post /recover/as/code/
Host: lookaside.facebook.com
n=<6>&other_boring_parameters
The attack scenario is exactly the same as we described in the previous method, and the only difference is only the domain name .
Hack any Facebook account using the Cross-Site Request Forgery method
Cross-Site Request Forgery (CSRF) is a type of hybrid replacement attack that uses victim user authentication and authorization to send a fake request to a web server. nine0003
This method requires the user whose account is being hacked to visit a website link (in the browser the user will use to log in "Facebook" ) in order to complete the hack.
A CSRF vulnerability existed in the last step when requiring email address "Facebook" .
When a user requests an email address, there is no server-side check from where the user is making the request. Thus, the vulnerability allowed to request an email for any account "Facebook" .
Before creating the CSRF attack page, you need to get the request URL to change the email address. To do this, try changing your email address to an email address already in use for another account "Facebook" . You will then be asked to verify the email if it belongs to you.
The request popup should redirect you to the URL we want after you click the request button. nine0003
The URL should look like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata={"fbid":"&code=
You have the URL. The last thing left to do is to create a page to host the URL in "iframe" and send it to the victim.
The email address will be attached to the victim's Facebook account as soon as he navigates to the page.
That's it. Now you can hack account "Facebook" using the password reset option.
This CSRF account hijacking vulnerability was discovered by Dan Melamed in 2013 and was immediately patched by security experts "Facebook" .
Hack any Facebook account using CSRF - 2
This hacking technique is similar to the previous method, where the victim also needs to visit the attacker's website for the attack to work.
This vulnerability was discovered in the Contacts Import endpoint. When a user allows services "Facebook" access your contacts in "Microsoft Outlook" , the server "Facebook" makes a request and adds them to the corresponding account "Facebook" .
This can be done by selecting "Find contacts on Facebook" in the account. You should then find the following request made to the Facebook server (use proxy interception)
https://m.
facebook.com/contact-importer/login?auth_token=
The same request can also be used for a CSRF attack. All you need to do is paste the URL into "iframe" on the attack page and share the link of the page with the victim.
The victim's account will be hacked as soon as the victim visits such a page.
This bug was discovered by user Josip in 2013 and fixed by the security team "Facebook" .
Hacking any Facebook account activity
This CSRF vulnerability could allow an attacker to take full control of a user's account. It also makes it possible to perform any actions anonymously (mark pages you like, upload photos and videos, etc.) in the victim's account "Facebook" without hacking into her account.
This flaw existed in the final stage of the ad manager "Facebook" .
An example account for a CSRF request looks like this: a CSRF page with a form attached to it in
"iframe" , which will automatically send a POST request when the victim visits such a page.
The attacker's email will be added anonymously to the victim's account. nine0003 The attacker can then hijack the victim's Facebook account simply by changing their password.
This vulnerability was discovered by Pouya Darabai in 2015 and "Facebook" awarded him a generous $15,000 bounty in "Bug Bounty" .
Hack any Facebook page without being an administrator
This method of hacking a page in "Facebook" was found by a user named Arun in 2016 and he received a reward of 16,000 USD from "Facebook" under the bonus program.
In this case, the Business Manager endpoint used to assign the partner was vulnerable. Changing the partner's Business Asset ID parameter to Page ID allowed him to hack any Facebook page .
Request example:
POST /business_share/asset_to_agency/
Host: business.facebook.com
parent_business_id=&agency_id=&asset_id=
Parameter "Business ID" should be assigned the attacker's business ID, and parameter "asset ID" should be replaced with the target page ID "Facebook" .
That's it. The landing page is now being managed as a business page. An attacker could remove existing page admins to completely take control of Facebook page .
Hack private photos of Facebook users
This private photo vulnerability was discovered by Laxman Muthiyah in 2015. He received a $10,000 bounty from "Facebook" as part of the "Bug Bounty" program.
Private photos are primarily photos stored on your mobile devices and not published on the network "Facebook" .
Mobile application "Facebook" has a built-in function for automatic synchronization of photos from the archive of a mobile phone and "Facebook" . Interestingly, this feature has been enabled by default on some mobile phone models.
This feature uploads your photos from your mobile phone to the "Facebook" server but keeps them private (private) until you choose to manually publish them.
A vulnerability was found in the endpoint while processing these private photos. Any third party application could view or access the user's private photos. For such an attack to work, a third-party application must have access to the user's public photos, only then it can access private photos in "Facebook" .
An example request to access a victim's private photos looks like this:
GET /me/vaultimages
Host: graph.facebook.com photos of the victim.
"Facebook" quickly fixed the issue by specifying the allowed applications that can access the image album endpoint.
Hack any photos of Facebook users
Arul Kumar found a way to delete any photo on "Facebook" in 2013, and was rewarded with a $12,500 cash prize for his efforts.
Facebook has a feature to notify the owner of a photo if someone wants to delete it. The owner of the photo receives a notification and a link to the deleted photo they once shared.
Arul detected that the photo control panel was not correctly checked for owner identification. This allows an attacker to replace the owner id parameter with their own account id "Facebook" to get the link to delete photos directly.
An attacker can then remove the photo using the obtained link from the vulnerability. Worst of all, the victim doesn't know the photo has been deleted. This vulnerability has now been fully patched.
Hack any photos or videos of Facebook users
This vulnerability was discovered by Laxman Muthiyah in 2015, which allowed him to remove any albums in "Facebook" . Albums with thousands of photos and videos can be deleted immediately without any involvement of their owner.
The Graph API is the main way to communicate between the "Facebook" server and applications developed by in-house or third-party developers. The Graph API endpoint node was vulnerable to an insecure object reference, which is why it allowed Laxman Muthiyah to give out the user's album ID to trigger the deletion process.
Sample request to delete any photo album
"Facebook" : POST /
Host: www.facebook.com
access_token=&method=delete
This can delete the album specified in the ID parameter. The attacker must have permission to view the album in order to complete the attack. "Facebook" fixed this issue by locking access to the endpoint to only privileged users and awarded a $12,500 cash bounty to Laxman Muthiyah for reporting this vulnerability. nine0003
Hack any video on Facebook
User Pranav discovered a vulnerability that allowed him to delete any video on "Facebook" without any special permission.
Facebook has the ability to add videos to comments under any posts in Facebook . Pranav has found that it is possible to add an existing video to a comment, and then deleting the comment makes it easy to delete the original video.
