Get Mystery Box with random crypto!

A popup with claim button should redirect you to the URL we ne | 🏴‍☠️ HACKERS CREED 🏴‍☠️

A popup with claim button should redirect you to the URL we need once we click on the claim button.
URL should look like

https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22&code=

You have got the URL. The last thing we have to do is to create a page to put the URL in an iframe and send it to the victim.
The email address will be attached to the victim’s Facebook account once he/she navigates to the URL. That’s it. You can now hack victim’s Facebook account through reset password option.
This CSRF account takeover vulnerability was found by Dan Melamed in 2013 and was patched immediately by FB security team.

5. Hack any Facebook account using CSRF – 2

This hacking technique is similar to the previous one where the victim needs to visit the attacker website for the attack to work.
This vulnerability was found in contact importer endpoint. When a user approves Facebook to access Microsoft Outlook’s contact book, a request to FB server is made that in turn adds the email to the respective Facebook account.
One can do this by Find contacts option in the attacker Facebook account. Then you should find the following request made to FB server (use intercepting proxy like burp)

https://m.facebook.com/contact-importer/login?auth_token=

The same GET request can be used to perfrom the CSRF attack. All you have to do is to embed the URL in an iframe in the attack page and share the link with the victim.
Victim’s account can be hacked as soon as the victim visits the attack page.
This bug was found by Josip on 2013 and patched by FB security team.

6. Hacking any actions on Facebook account – A CSRF Bypass

This CSRF vulnerability allows the attacker to take over the account completely and also it has the ability to perform any actions like liking page, posting a photo, etc. on the victim’s Facebook account anonymously without hacking into the account.
This flaw existed in the ads manager endpoint. The sample account take over CSRF request look like this

POST /ads/manage/home/?show_dialog_uri=/settings/email/add/submit/?new_email=

All the attacker has to do is to craft a CSRF page with a form to auto submit the post request in an iframe when the victim lands on the page. The attacker’s email will be added to the victim’s account anonymously.
Then the attacker can hack into victim’s Facebook account by resetting the password.
This was found by Pouya Darabai in 2015 and got a bounty of $15,000 through Facebook bug bounty program.

@hackinginstyle
Next Message
telegram-store.com © 2016-2024
Non official site about Telegram
All rights reserved. Copying and using of full materials is prohibited, partial quoting is possible only with a hyperlink to the site telegram-store.com.