Quantcast

Don't have an account? Register Now! Forgot password?

Maximum IT
News

The Tip of the Facebook Exploit Iceberg

comment Commentsprint Printemail EmailDeliciousDiggStumbleUponRedditFacebookSlashdot

I just sent Paris Hilton a beer.

Anonymously, of course. We're not even friends. I can't see her profile. But the hotel heiress now has a Guinness courtesy of yours truly, just one more example of how certain Facebook applications can be broken with a little ingenuity. Sending Free Gifts to anyone using the application is a fun way to screw with your friends, but it's only the tip of the exploit iceberg that Facebook's applications have opened up. Here's how it works:

First, you need to grab a fun little Firefox extension called Firebug. It opens up web pages to tweaking in a variety of fun, form-intensive methods. Install the Free Gifts application on Facebook and surf on over to the sending page. Select a gift, click Anonymous, and enter the name of one of your friends in the To: field. In two separate windows, surf to Facebook yet again and pull up your friend's profile, as well as some means for finding your target's ID number (as detailed earlier). Remember your friend's Facebook ID number, and surf on back to the Free Gifts sending page.

Right-click on the Send Gift button and click Inspect Element. Then click on the Dom tab at the top of Firebug's little window. Scroll down--you're looking for the To: field. When you find it, you'll see an number. Guess what? That's the Facebook ID number of the person you entered in the To: field! Click on the number and Firebug will open up a large list of other options. Scroll down until you've found the "Value" field--it should be right below the "Type: Hidden" option. Double-click on the ID number and enter the target's Facebook ID in quotes. Hit Enter, then turn your attention to the Free Gifts sending page and hit Send Gift. Blam. One anonymous gift to someone who isn't your friend / has blocked you / whatever.


You'll go blind trying to find it, but your key to Free Gift sending is that little To field that pushes out your recipient's Facebook ID. Replace it with a new target and fire away!

That's just the tip of the iceberg, as I mentioned earlier. The Consumerist has a nice little write-up on other potential exploits, including one that allows you to set the Mood of your friends for them! That said, 2600 ran this information in their Winter Issue, so check that out for even more details! Or just surf on over to one of the original sources of the exploits, the defunct Facebook Application Smashing blog.

While Facebook itself--the service's core functions--are relatively exploit-free, mark my words: these applications will open up a world of open doors for industrious Facebook tricksters. We'll update as we find more fun things to do!

COMMENTS:6
COMMENTS
avatarFacebook ID

Hi, is there a way to find the name and photo of a facebook user, given only their ID number?  Not to gain access to their account, but to provide a profile image and name?  thanks

Login or register to post comments
avatarHow was the hole fixed?

Now I don't know very much about hacking, but out of curiosity, how exactly did facebook fix this hole? What has changed since Ng sold out the secret? I'd say the best way to get past facebook's security is to know how it works. Also, is it possible to trick the system to believe that you are a friend and allow you to view the profile?

Login or register to post comments
avatarhah, finally some byron ng hate.

Good article. Byron Ng is a tool. I've had these exploits on my site for almost 2 months now. I just love how he claimed he discovered them.
If it weren't for him we'd still be using them...
Byron Ng even called the press last year claiming to have a pre-release of that harry potter book.. guess what.. so did hundreds of thousands of other people who know what a torrent is. I think he just craves attention.

Login or register to post comments
avatarI'm curious to see what

I'm curious to see what paris hilton's private pictures are...

Login or register to post comments
avatarI've already seen her

I've already seen her privates, why exploit to see them again?

Login or register to post comments
avatarExactly, enough of the ugly

Exactly, enough of the ugly stick already

Login or register to post comments

This Month's Issue
FEATURE How to Get FREE Programs, Services, Software & MoreFEATURE Digital Photo Printer RoundupHOW TOBuild a 3D CameraFEATUREDIY Arcade PCWHITE PAPERHow TRIM Works