I’m available for freelance web design & development work!

Hacking Facebook

Warning!

The following article contains unethical practices, and, although legal at the time of writing (December 2011), may become illegal at some point. Don’t do it, kids!

With over 800 million active users (if it was a country, it’d be the third largest in the world), Facebook is undoubtedly a major player in the internet. Which, of course, makes it a target for hackers; the Holy Grail, some may say.

And they’d be right. Recently, a Reddit user discovered a fairly serious hole in Facebook’s reporting system that allowed you to view anyone’s profile picture; this was quickly fixed, but it got me thinking. How easy is it to, say, take control of someone’s account? Their social network? Their online identity?

Scarily easy. All it took was a couple of spare hours’ time, and some determination, knowing I’d get at least $500 for my efforts (that’s right, Facebook pay a bounty to people who find vunerabilities in its site):

Firstly, I tried a hackers’ first port of call: hacking the URL of images — you know, changing query strings, switching telltale characters — just like the profile picture hack. No such luck; it all looks pretty secure now (although I did find a lot of interesting pictures of myself). Then pages, which also yielded nothing. I guess, in a way, I was pleased to find this out; it meant that Facebook cared about our security. I know, just kidding.

Secondly, I tried the XSS route. As I’m sure you all know, Facebook has a Javascript-esque language, FBML, that web-masters, such as myself, can use to enhance our site. Unfortunately, it’s pretty solid, and I didn’t get nothing there either.

So I tried what I’m best at: crazy CSS. For this next trick, I positioned a link on top of a Facebook “like” button (this works for pretty much anything) by using a negative margin and a high z-index. This worked a treat; however, as it requires user interaction, it’s not hacking. It’s just deceptive design. Feel free to click my 100% innocuous link below for an example of my “overlaid button” hack; be sure to also check out the CSS.

Of course, this requires our victim to interact with the page; something that works, but isn’t desirable. So, I had to keep on truckin’, as it were.

Out of inspiration, I decided to head on over to the Apple Store, and fix my faulty iPhone (half of my library had been replaced by Barry White — turns out I’d bought a lot of Barry White songs). After ashamedly leaving the Apple Store, it hit me.

Watching people take webcam pictures on the shiny iMacs made me think: maybe I can inject some nasty logic via a malformed image?

Bingo.

Jackpot.

It’s simple. In an image, as with any file, you have file “headers”: that is, little bytes of text that tell a computer what the file is, and what its purpose is. Now, since a primitive web server is unable to read these headers without parsing the file, we can mutate the JFIF marker to read as a self-extracting *.zip file, and force the server (or a computer, for that matter) into unwittingly opening files that seemed innocent. It’s the principle behind many computer viruses (you know, the one your uncle forwards you every so often).

The specific part of the marker we want is the thumbnail metadata, which something more innocent, such as a digital camera, would use this to provide a little version of your picture. We’re going to inject some lovely JavaScript.

In Facebook’s status-update form, a method, __inlineSubmit is called, which adds a new post to the stream. It takes two parameters, this, and event. Now, we can change those those parameters to, say, reflect the information of your “victim”.

With that in mind, here’s a file I made earlier. It’s a text file format for a reason; when opened, it will try to execute a bunch of PHP files, so, for the love of God, don’t open it! Just leave it on your desktop or something.

So, how do you use it? Simply find the ID of your victim’s profile (you can do this by replacing www with graph, and it’s then selecting the “id’ field), and copy it to your clipboard. Once it’s on your clipboard, rename the file to “profile_[THE_ID].jpg”, and upload it as your profile picture.

After completing that simple step, meet your victim; then, wait until your victim has left a computer for a short period of time, and, if (s)he’s still logged in, type “omg im so gayy <3”.

Congratulations, you just hacked Facebook!