1. Hack any Facebook account with a mobile SMS
This vulnerability could allow a user to hack FB account easily in a fraction of seconds. All you need is an active mobile number. This flaw existed in confirm mobile number endpoint where users verify their mobile number.
Execution of this vulnerability is very simple. We should send a message in the following format.
FBOOK to 32665 (for the US)
You should receive a shortcode. Then, a request to the FB server with the target user ID, shortcode, and a few other parameters could do the magic.
Sample Request
Post /ajax/settings/mobile/confirm_phone.php
Host: www.facebook.com
profile_id=<target_user_id>&code=<short_code>&other_boring_parameters
That’s it. Sending this request to Facebook server with any user cookies can hack the target account. Your mobile number will be attached to the target user’s FB account once you get a response from the FB server. Now you can initiate a password reset request using the mobile number and hack into the target account easily.
This vulnerability was found by Jack in 2013. FB security team patched the issue pretty quickly and rewarded him $20,000 USD as a part of their bounty program.
2. Hack any Facebook account using Brute Force Attack
This brute force vulnerability leads to complete FB account takeover which was found by Anand in 2016. Facebook rewarded him $15,000 as a part of their bug bounty program.
This flaw found on reset password endpoint of Facebook. Whenever a user forgets his password, he/she can reset their password using this option by entering his/her phone number or email address.
A 6 digit code will be sent to the user to verify whether the request is made by the concerned person. The user can then reset their password by entering the 6 digit verification code.
One cannot try different combinations of the code more than 10 to 12 attempts since the FB server will block the account for password reset temporarily.
Anand found that mbasic.facebook.com and beta.facebook.com failed to perform the brute force validation thus allowing an attacker to try all the possibilities of the six-digit code.
Sample Request
Post /recover/as/code/
Host: mbasic.facebook.com
n=<6_digit_code>&other_boring_parameters
Trying all the possibilities (brute forcing) of the six-digit parameter (n=123456) allows an attacker to set a new password for any FB user. This can be achieved by any brute force tool available online.
Facebook fixed this vulnerability by placing limits on the number of attempts one can execute on the reset code endpoint.
3. Hacking any Facebook account using Brute Force Attack – 2
Arun found the same brute force vulnerability in another subdomain (lookaside.facebook.com) of Facebook that had got him $10,000 reward from Facebook in 2016.
Initially, they rejected the bug by saying that they are unable to reproduce it. The vulnerability was accepted only after a few weeks time and the patch was rolled out as soon as their security team was able to reproduce the issue.
And the sample request looks like this
Post /recover/as/code/
Host: lookaside.facebook.com
n=<6_digit_code>&other_boring_parameters
The attack scenario is exactly the same that we have seen in the previous method and the only difference is the domain name.
4. Hacking any Facebook account using a Cross Site Request Forgery Attack
This method requires the victim to visit a website link (in a browser where the victim should be logged into Facebook) to complete the hacking attack.
For those of you who don’t know about CSRF attacks, read about it here.
The flaw existed in claiming email address endpoint of Facebook. When a user claims an email address, there was no server-side validation performed of which user is making the request thus it allows an email to be claimed on any FB account.
You need to get the email claim URL before create a CSRF attack page. For that, try to change your email address to an email address that is already used for a FB account. Then you will be asked to claim the email if that belongs to you.
A popup with claim button should redirect you to the URL we need once we click on the claim button.
URL should look like
https://www.facebook.com/support/openid/accept_hotmail.php?appdata={"fbid":"&code=<code>
You have got the URL. The last thing we have to do is to create a page to put the URL in an iframe and send it to the victim.
The email address will be attached to the victim’s Facebook account once he/she navigates to the URL. That’s it. You can now hack victim’s Facebook account through reset password option.
This CSRF account takeover vulnerability was found by Dan Melamed in 2013 and was patched immediately by FB security team.
5. Hack any Facebook account using CSRF – 2
This hacking technique is similar to the previous one where the victim needs to visit the attacker website for the attack to work.
This vulnerability was found in contact importer endpoint. When a user approves Facebook to access Microsoft Outlook’s contact book, a request to FB server is made that in turn adds the email to the respective Facebook account.
One can do this by Find contacts option in the attacker Facebook account. Then you should find the following request made to FB server (use intercepting proxy like burp)
https://m.facebook.com/contact-importer/login?auth_token=
The same GET request can be used to perfrom the CSRF attack. All you have to do is to embed the URL in an iframe in the attack page and share the link with the victim.
Victim’s account can be hacked as soon as the victim visits the attack page.
This bug was found by Josip on 2013 and patched by FB security team.
This vulnerability could allow a user to hack FB account easily in a fraction of seconds. All you need is an active mobile number. This flaw existed in confirm mobile number endpoint where users verify their mobile number.
Execution of this vulnerability is very simple. We should send a message in the following format.
FBOOK to 32665 (for the US)
You should receive a shortcode. Then, a request to the FB server with the target user ID, shortcode, and a few other parameters could do the magic.
Sample Request
Post /ajax/settings/mobile/confirm_phone.php
Host: www.facebook.com
profile_id=<target_user_id>&code=<short_code>&other_boring_parameters
That’s it. Sending this request to Facebook server with any user cookies can hack the target account. Your mobile number will be attached to the target user’s FB account once you get a response from the FB server. Now you can initiate a password reset request using the mobile number and hack into the target account easily.
This vulnerability was found by Jack in 2013. FB security team patched the issue pretty quickly and rewarded him $20,000 USD as a part of their bounty program.
2. Hack any Facebook account using Brute Force Attack
This brute force vulnerability leads to complete FB account takeover which was found by Anand in 2016. Facebook rewarded him $15,000 as a part of their bug bounty program.
This flaw found on reset password endpoint of Facebook. Whenever a user forgets his password, he/she can reset their password using this option by entering his/her phone number or email address.
A 6 digit code will be sent to the user to verify whether the request is made by the concerned person. The user can then reset their password by entering the 6 digit verification code.
One cannot try different combinations of the code more than 10 to 12 attempts since the FB server will block the account for password reset temporarily.
Anand found that mbasic.facebook.com and beta.facebook.com failed to perform the brute force validation thus allowing an attacker to try all the possibilities of the six-digit code.
Sample Request
Post /recover/as/code/
Host: mbasic.facebook.com
n=<6_digit_code>&other_boring_parameters
Trying all the possibilities (brute forcing) of the six-digit parameter (n=123456) allows an attacker to set a new password for any FB user. This can be achieved by any brute force tool available online.
Facebook fixed this vulnerability by placing limits on the number of attempts one can execute on the reset code endpoint.
3. Hacking any Facebook account using Brute Force Attack – 2
Arun found the same brute force vulnerability in another subdomain (lookaside.facebook.com) of Facebook that had got him $10,000 reward from Facebook in 2016.
Initially, they rejected the bug by saying that they are unable to reproduce it. The vulnerability was accepted only after a few weeks time and the patch was rolled out as soon as their security team was able to reproduce the issue.
And the sample request looks like this
Post /recover/as/code/
Host: lookaside.facebook.com
n=<6_digit_code>&other_boring_parameters
The attack scenario is exactly the same that we have seen in the previous method and the only difference is the domain name.
4. Hacking any Facebook account using a Cross Site Request Forgery Attack
This method requires the victim to visit a website link (in a browser where the victim should be logged into Facebook) to complete the hacking attack.
For those of you who don’t know about CSRF attacks, read about it here.
The flaw existed in claiming email address endpoint of Facebook. When a user claims an email address, there was no server-side validation performed of which user is making the request thus it allows an email to be claimed on any FB account.
You need to get the email claim URL before create a CSRF attack page. For that, try to change your email address to an email address that is already used for a FB account. Then you will be asked to claim the email if that belongs to you.
A popup with claim button should redirect you to the URL we need once we click on the claim button.
URL should look like
https://www.facebook.com/support/openid/accept_hotmail.php?appdata={"fbid":"&code=<code>
You have got the URL. The last thing we have to do is to create a page to put the URL in an iframe and send it to the victim.
The email address will be attached to the victim’s Facebook account once he/she navigates to the URL. That’s it. You can now hack victim’s Facebook account through reset password option.
This CSRF account takeover vulnerability was found by Dan Melamed in 2013 and was patched immediately by FB security team.
5. Hack any Facebook account using CSRF – 2
This hacking technique is similar to the previous one where the victim needs to visit the attacker website for the attack to work.
This vulnerability was found in contact importer endpoint. When a user approves Facebook to access Microsoft Outlook’s contact book, a request to FB server is made that in turn adds the email to the respective Facebook account.
One can do this by Find contacts option in the attacker Facebook account. Then you should find the following request made to FB server (use intercepting proxy like burp)
https://m.facebook.com/contact-importer/login?auth_token=
The same GET request can be used to perfrom the CSRF attack. All you have to do is to embed the URL in an iframe in the attack page and share the link with the victim.
Victim’s account can be hacked as soon as the victim visits the attack page.
This bug was found by Josip on 2013 and patched by FB security team.