Pin It

Hacking Facebook Accounts Through Facebook Applications [Report]

Facebook is one of the most popular social networking sites as a result of which it is the number 1 target of hackers, Facebook has implemented lots of security on the server side as a reason of which hackers attack clients instead of attacking the server, In simpler words, hackers don't attack Facebook itself but instead attack Facebook users, this is where attacks such as phishing, keylogging comes in to play.

In the past, we have written several posts related to Facebook hacking and security, however, in this post we will not discuss any of the previous methods we have discussed earlier. In this post,
we will tell you how to hack a Facebook password with Facebook applications.

According to CNET:

Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.

A very simple example is hacking Facebook username and password through static FBML. The hacker creates an application or a page that the user can find 'believable'. The user clicks on the page and checks the URL and the year the Facebook application/page was created. Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent and this way the hacker gets all the information he needs about the user.

According to the summary of 2600 article:

In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.
The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.

The Steps To Hacking Aren't Too Difficult:

1. The user clicks the link and the session (cookies) can now be accessed by the hacker. Using just that, the hacker can log into anyone's account without a username and password.

2. The user sifts through the URL and once found, they enter their username and password.

3. After hitting the button, the user checks the password and a page pops up stating a 'Thank you' message and a password rank page will popup.

4. When the user checks their email spam, there must be an email and it will ask the user to try their password again.

According to Microsoft's Larry Osterman:
It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code.

To Make Sure That Your Account Doesn't Get Hacked:

1. Don't click on a link from a person you don’t know.
2. Facebook is not going to ask if your password is strong or not.
3. Never trust any Facebook Applications.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA

Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Kindly Bookmark it and Share it with Friends:


Administrator on October 22, 2011 at 11:21 PM said...

Useful Article ..
Happy Hacking

ADMIN on October 31, 2011 at 3:46 AM said...

nice info thanks for more backlinks or traffic visit my blog

Anonymous said...

Hi there, I appreciate all you do for protecting us, your posts are always of great help , I like them all buddy, I was wondering if you can contact me in person , if u r willing to help me out please contact me on
looking forward to hearing from you .


Facebook Development on April 24, 2012 at 3:00 AM said...

What you're saying is completely true. I know that everybody must say the same thing, but I just think that you put it in a way that everyone can understand. I also love the images you put in here. They fit so well with what you're trying to say. I'm sure you'll reach so many people with what you've got to say.

Anonymous said...

Hi rafay ,
How i can creat this application and hack with it .

Robiul Islam on November 8, 2012 at 10:53 PM said...


Gerhard Brill on May 29, 2013 at 2:53 PM said...

Hi. I visited your website the very first time and merely been your fan. Keep posting as I’m gonna arrived at see clearly everyday ! Thanks.
electronic cigarette

Dare to ask? :)

Blog Archive


Recent Comments


Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.