Facebook: What If...?

9:58 AM

Note: none of these hunches have been tested and I have no idea if they really work. They are just theoretical attack scenarios to show how my brain assesses for attack vectors when I see a functionalities.

Status Update takeover

First, in https://www.facebook.com/pageusername/settings?tab=mobile Facebook gives away an email address to share a status update remotely, for pages. If you know that email, you can upload anyfile to that *special* email from *any* email and you would get a status file upload in your page.
Forexample say my email is pXy251wiggly@m.facebook.com which is very very very predictable to guess, and emailing to pXy251wiggly@m.facebook.com would result my page having a status update.

Since my name is Paulos Yibelo (pXy) and 251 (my country code) wiggly (a random english dictionary word), and I have changed it to a custom one, don't try it. :P but no, the *predictability* of the email isn't what I am trying to talk about.

the mail id, there are always 12 in char, if not changed with a custom one (which is unlikely to be the default action), and if you notice, they only have small letters and numbers in their ID. and half the word is a dictionary, using this we can construct a recursional script to find the email, but note, we can find lots of emails in the process of finding the one we want, random once. but the testing part is the sucker one, we need either zombies or a kickass bulk-mail program.

with a friend, we wrote a final python script in http://pastebin.com/7HfJ34Bg to obtain all possible emails.

import random
#values only contain small letters and numbers
letters = '

def generateWord():
        letter = ''
        for i in range(12): #all possisble values are 12 in length
                letter += random.choice(letters)
        return letter
#add all possible values to list
file = open("wordList.txt","a")
counter = 1;
while True:

                #avoid duplicates
                generated = generateWord()+"@m.facebook.com
                print counter,"words Generated so far"
        except KeyboardInterrupt:

If the above script runs, it will have all the possible combination of emails facebook (will ever) have, which is rising. now we can multi-thread the processes and fasten the process, again and again. 

Note: there is a low probability of finding a large amount of *acutal* emails. thanks to automation and kickass processing, it is possible.

Yes, its less practical. But, let's assume the 7b people around the globe have accounts. Assume I already run that script and have the same database of users Facebook will ever have in a public database file. Assume i got 9 billion zombie/botnets that generally massmail 100 mails in a second, thats 9^10*100 in a second of sending emails. Generally assume all these zombies mail those in the public database programmed to multi-thread so the process succeeds in clean way. Now in my theory, if succed, its less a month to mail all Facebook Page accounts. :)

Account ID Takeover

Facebook allows a user to create a username and can be accessed via facebook.com/username or facebook.com/profile.php?id=userid or username, demos include:

So the flaw here is to overdrive the ID by creating a username with an upcoming or already existing (but no username) having account. Meaning if forexample there is a guy with an id 009834234, (not real) meaning he can access his account via.


But if we create a username with that id from facebook.com/username, then when people navigate to his profile id, they will be getting our username (his id) account.

now Facebook don't allow all-numeric IDs. :)

You Might Also Like


  1. This comment has been removed by the author.

  2. Nice picture and writeup. keep up

  3. This is actually weird - I was looking up writingelites prices and I wasn't even thinking of any code right now though I needed some tips on one. And then I decided to drop by here, just without any purpose and the first post I read contains the exact code I needed. Thank you for reading my mind! :)


Note: Only a member of this blog may post a comment.