How To Hack A Facebook Account Password Without Downloading Anything

"How to Hack Facebook?" is ane of the most searched questions on the Net. Many of us badly want to hack into someone's Facebook account but plainly that's not an easy job, at to the lowest degree for a novice.

There are tons of websites on the Internet where you lot can observe a variety of tools and methods on hacking Facebook merely nearly of them are fake and the residual of them need technical expertise. Please beware of hacking tools, nigh of the tools actually hack your Facebook account instead of the target user.

If someone is able to hack Facebook account, it means they have an account takeover security vulnerability affecting FB. They tin sell it to a black market illegally for millions of dollars. They tin can become instant fame and thousands of dollars in reward if they written report the vulnerability legitimately through bug bounty program.

What do they get by sharing the method online, that too for complimentary? What practice they get for creating a free tool / software based on it? Absolutely NOTHING.

And then the free hacking tools y'all see on the Internet are all imitation. Don't waste your precious fourth dimension searching such hack tools.

If all the FB hacking methods need technical expertise, then how come up a large number of people go their account hacked?

In that location are some methods similar Phishing that tin be easily done past using the resources bachelor on the Net. Y'all can learn more most such Facebook hacking methods.

Besides, run into why Facebook rewarded me $10,000 USD forhacking Facebook mobile app's individual photosusing a security vulnerability.

A thief might not always use your doorway to enter abode. The aforementioned way,a hacker may not demand your password at all the fourth dimension to hack your Facebook business relationship. Really, most of the time a countersign is not necessary for a hacker to hack your Facebook account. Sounds weird? Information technology would unless you are a hacker 😉

Hackers are non magicians to use tricks to get the show done. They exercise information technology in a hard way. They spend twenty-four hours and nighttime researching to observe a security vulnerability affecting Facebook. Hacking an account isn't difficult once they accept a vulnerability.

We are going to encompass some Facebook hacking techniques discovered on bug bounty programme that could have let anyone hack into any FB business relationship WITHOUT Countersign. Please note that all the methods listed here are patched by the Facebook team and it no longer works. Only yous will get a basic idea of how hackers could hack an account without knowing the actual password. Bank check the link placed in each method if you lot desire to view more details.

1. Hack whatever Facebook account with a mobile SMS

This vulnerability could permit a user to hack FB account easily in a fraction of seconds. All yous need is an active mobile number. This flaw existed in ostend mobile number endpoint where users verify their mobile number.

Execution of this vulnerability is very uncomplicated. We should send a bulletin in the post-obit format.

FBOOK to 32665 (for the U.s.a.)

You should receive a shortcode. And then, a request to the FB server with the target user ID, shortcode, and a few other parameters could do the magic.

Sample Asking

Post /ajax/settings/mobile/confirm_phone.php
Host: www.facebook.com

profile_id=<target_user_id>&code=<short_code>&other_boring_parameters

That'south information technology. Sending this asking to Facebook server with whatever user cookies tin can hack the target account. Your mobile number volition be fastened to the target user's FB account one time you lot get a response from the FB server. Now yous can initiate a password reset request using the mobile number and hack into the target business relationship hands.

This vulnerability was found past Jack in 2013. FB security team patched the issue pretty rapidly and rewarded him $20,000 USD every bit a part of their bounty program.

2. Hack any Facebook account using Brute Forcefulness Attack

This animate being force vulnerability leads to complete FB business relationship takeover which was found by Anand in 2016. Facebook rewarded him $15,000 as a function of their bug bounty programme.

This flaw plant on reset password endpoint of Facebook. Whenever a user forgets his password, he/she can reset their password using this pick past inbound his/her phone number or email address.

A 6 digit code will be sent to the user to verify whether the request is made past the concerned person. The user can then reset their countersign past entering the six digit verification lawmaking.

I cannot endeavor different combinations of the code more than than x to 12 attempts since the FB server volition block the account for password reset temporarily.

Anand plant that mbasic.facebook.com and beta.facebook.com failed to perform the beast force validation thus allowing an assailant to try all the possibilities of the six-digit lawmaking.

Sample Request

Post /recover/equally/code/
Host: mbasic.facebook.com

north=<6_digit_code>&other_boring_parameters

Trying all the possibilities (fauna forcing) of the six-digit parameter (n=123456) allows an attacker to set up a new password for any FB user. This can be achieved by any fauna force tool available online.

Facebook fixed this vulnerability by placing limits on the number of attempts one can execute on the reset code endpoint.

iii. Hacking whatever Facebook account using Creature Strength Attack – 2

Arun found the same fauna force vulnerability in another subdomain (lookaside.facebook.com) of Facebook that had got him $x,000 reward from Facebook in 2016.

Initially, they rejected the bug by saying that they are unable to reproduce information technology. The vulnerability was accepted merely later on a few weeks time and the patch was rolled out as shortly as their security team was able to reproduce the effect.

And the sample request looks like this

Mail /recover/as/code/
Host: lookaside.facebook.com

north=<6_digit_code>&other_boring_parameters

The attack scenario is exactly the same that nosotros have seen in the previous method and the only difference is the domain name.

four. Hacking whatever Facebook account using a Cross Site Request Forgery Attack

This method requires the victim to visit a website link (in a browser where the victim should be logged into Facebook) to complete the hacking attack.

For those of you who don't know about CSRF attacks, read about it hither.

The flaw existed in claiming e-mail address endpoint of Facebook. When a user claims an email address, at that place was no server-side validation performed of which user is making the asking thus it allows an email to exist claimed on whatsoever FB account.

You need to get the electronic mail merits URL before create a CSRF attack page. For that, attempt to modify your email address to an email address that is already used for a FB account. Then you will exist asked to claim the email if that belongs to y'all.

A popup with claim button should redirect you to the URL we demand in one case we click on the claim push.

URL should wait like

https://www.facebook.com/back up/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22&code=<lawmaking>

You have got the URL. The terminal thing nosotros have to practice is to create a page to put the URL in an iframe and transport it to the victim.

The electronic mail address will be attached to the victim'south Facebook account once he/she navigates to the URL. That's it. You can at present hack victim's Facebook account through reset password option.

This CSRF account takeover vulnerability was found by Dan Melamed in 2013 and was patched immediately by FB security team.

five. Hack whatsoever Facebook account using CSRF – 2

This hacking technique is similar to the previous 1 where the victim needs to visit the assailant website for the attack to work.

This vulnerability was establish in contact importer endpoint. When a user approves Facebook to admission Microsoft Outlook's contact book, a request to FB server is made that in turn adds the electronic mail to the respective Facebook account.

I can do this by Find contacts option in the assaulter Facebook account. Then you should find the following request made to FB server (apply intercepting proxy like burp)

https://m.facebook.com/contact-importer/login?auth_token=

The aforementioned GET request tin be used to perfrom the CSRF attack. All you have to practice is to embed the URL in an iframe in the set on page and share the link with the victim.

Victim's account can exist hacked as soon equally the victim visits the attack folio.

This issues was plant by Josip on 2013 and patched by FB security team.

6. Hacking whatsoever actions on Facebook account – A CSRF Bypass

This CSRF vulnerability allows the aggressor to have over the account completely and also it has the ability to perform any deportment like liking folio, posting a photo, etc. on the victim's Facebook account anonymously without hacking into the account.

This flaw existed in the ads director endpoint. The sample account have over CSRF request wait like this

POST /ads/manage/abode/?show_dialog_uri=/settings/e-mail/add/submit/?new_email=<attacker_email>

All the attacker has to do is to craft a CSRF page with a form to auto submit the mail request in an iframe when the victim lands on the page. The attacker'southward electronic mail will exist added to the victim's account anonymously.

And so the attacker tin hack into victim's Facebook business relationship by resetting the password.

This was institute past Pouya Darabai in 2015 and got a bounty of $fifteen,000 through Facebook issues bounty program.

7. Hack any Facebook page without being an admin

This Facebook page hacking method was found by Arun in 2016 and has got a reward of $sixteen,000 USD for it.

Business manager endpoint used to assign a partner was vulnerable in this instance. Changing the partner business asset ID parameter to a folio ID allowed Arun to hack into any folio.

Sample Asking

Postal service /business_share/asset_to_agency/
Host: business organization.facebook.com

parent_business_id=<business_id>&agency_id=<business_id>&asset_id=<target_page_id>

Business ID parameter should be assigned to the assaulter's business ID and asset ID parameter should be replaced with the target Facebook page ID.

That is it. Now the target page should exist endemic by the business. The attacker can remove the existing page admins to completely take over the Facebook folio.

8. Hacking Facebook user's Private Photos

This individual photos vulnerability was found by me in 2015 and got a reward of $x,000 as a role of their bounty program.

What do I mean by Private photos in the first place? The photos that you take in mobile and non published to Facebook those are the ones I mean when I say private photos.

The mobile app has a default feature chosen syncing mobile photos. Interestingly this feature was turned on by default in some mobile phones.

This characteristic uploads your mobile photos to FB server but keeps it private until you manually publish it to Facebook.

A Vulnerability in an endpoint treatment these private photos allows whatsoever third party app to view/access user's private photos. For this attack to work, the third party app must accept access to user's public photos, but then information technology can access the private photos.

Sample asking to Graph API to admission the private photos of victim looks like this

Get /me/vaultimages
Host: graph.facebook.com

access_token=<victim_access_token>

That'south it. The response from the API endpoint should have the URLs to private photos of the victim.

Facebook patched the issue past whitelisting the apps that tin access vaultimages endpoint.

9. Hacking any Facebook user's Photos

Arul Kumar found a way to delete whatever photo on Facebook in 2013 and they rewarded him $12,500 for his efforts.

Facebook has a feature to study photograph to the possessor if someone want to get the photo removed. The owner of the photo gets a notification and a link to delete the photo once reported by someone.

Arul found that the support dashboard photo reporting feature wasn't validating the owner IDs properly thus it immune him to replace the owner ID parameter with his ain Facebook account ID to get the photograph deletion link directly.

So the attacker can delete the photo with the aid of gained link from the exploit. The worst function about this attack is that the victim won't know the photo was deleted. This vulnerability is completely fixed now.

10. Hack any Facebook user's photo/video Albums

This vulnerability was plant past me in 2015 that allowed me to take down any albums on Facebook. Albums with thousands of photos and videos can be deleted instantly without the interaction of its owner.

Graph API is the primary way of communication betwixt the server and native/tertiary party apps. Albums node of Graph API endpoint was vulnerable to insecure object reference thus it immune me to issue any user'southward album ID to procedure the deletion.

A sample asking to delete whatsoever Facebook photo album

Mail /<album_id>
Host: www.facebook.com

access_token=<top_level_facebook_access_token>&method=delete

This could delete the album specified in the ID parameter. The attacker should have the permission to view the anthology to consummate the assault. Facebook patched this event by fixing the endpoint to but allow users with privileges and rewarded me $12,500 USD for reporting the vulnerability.

11. Hack whatsoever Facebook videos

Pranav constitute a vulnerability that allowed him to delete any Facebook videos without concent permissions.

Facebook has an option to add video to comments on any post. Pranav institute that attaching existing videos to a comment is possible and deleting the annotate could permit us delete the source video easily.

So the attacker should try to edit an existing annotate on a post with the someone'southward Facebook video ID through the post-obit graph API request.

POST /<post_id>/comments?attachment_id=<target_video_id>
Host: graph.facebook.com

The target video should be added to the comment. Now the assaulter has to delete the annotate to delete the source video. The video should exist deleted in few seconds as before long as the comment is deleted.

Source: https://thezerohack.com/hack-facebook-password

Posted by: simpsoncepteas.blogspot.com

Share this post