Print
I just sent Paris Hilton a beer.
Anonymously, of course. We're not even friends. I can't see her profile. But the hotel heiress now has a Guinness courtesy of yours truly, just one more example of how certain Facebook applications can be broken with a little ingenuity. Sending Free Gifts to anyone using the application is a fun way to screw with your friends, but it's only the tip of the exploit iceberg that Facebook's applications have opened up. Here's how it works:
First, you need to grab a fun little Firefox extension called Firebug. It opens up web pages to tweaking in a variety of fun, form-intensive methods. Install the Free Gifts application on Facebook and surf on over to the sending page. Select a gift, click Anonymous, and enter the name of one of your friends in the To: field. In two separate windows, surf to Facebook yet again and pull up your friend's profile, as well as some means for finding your target's ID number (as detailed earlier). Remember your friend's Facebook ID number, and surf on back to the Free Gifts sending page.
Right-click on the Send Gift button and click Inspect Element. Then click on the Dom tab at the top of Firebug's little window. Scroll down--you're looking for the To: field. When you find it, you'll see an number. Guess what? That's the Facebook ID number of the person you entered in the To: field! Click on the number and Firebug will open up a large list of other options. Scroll down until you've found the "Value" field--it should be right below the "Type: Hidden" option. Double-click on the ID number and enter the target's Facebook ID in quotes. Hit Enter, then turn your attention to the Free Gifts sending page and hit Send Gift. Blam. One anonymous gift to someone who isn't your friend / has blocked you / whatever.
You'll go blind trying to find it, but your key to Free Gift sending is that little To field that pushes out your recipient's Facebook ID. Replace it with a new target and fire away!
That's just the tip of the iceberg, as I mentioned earlier. The Consumerist has a nice little write-up on other potential exploits, including one that allows you to set the Mood of your friends for them! That said, 2600 ran this information in their Winter Issue, so check that out for even more details! Or just surf on over to one of the original sources of the exploits, the defunct Facebook Application Smashing blog.
While Facebook itself--the service's core functions--are relatively exploit-free, mark my words: these applications will open up a world of open doors for industrious Facebook tricksters. We'll update as we find more fun things to do!
Comments are closed on this article
ExpResearch
October 06, 2011 at 10:55am
Lol...I just know this trick today, thanks for publish this secret. Actually I just curious how to search people on Facebook without having to understand the complex codes above
iain
August 11, 2008 at 3:54am
Hi, is there a way to find the name and photo of a facebook user, given only their ID number? Not to gain access to their account, but to provide a profile image and name? thanks
kevin167
April 09, 2008 at 4:14pm
Now I don't know very much about hacking, but out of curiosity, how exactly did facebook fix this hole? What has changed since Ng sold out the secret? I'd say the best way to get past facebook's security is to know how it works. Also, is it possible to trick the system to believe that you are a friend and allow you to view the profile?
brettzz
March 27, 2008 at 11:17am
Good article. Byron Ng is a tool. I've had these exploits on my site for almost 2 months now. I just love how he claimed he discovered them.
If it weren't for him we'd still be using them...
Byron Ng even called the press last year claiming to have a pre-release of that harry potter book.. guess what.. so did hundreds of thousands of other people who know what a torrent is. I think he just craves attention.
