Posts

Showing posts with the label facebook hacks

Bug in Facebook OAuth. Convert facebook test account to real account in instagram/ oculus

Image
Facebook Provide you the ability to create test accounts for white hat testing. You can create it by visiting the url facebook.com/whitehat/accounts.

Facebook wants you to test for security issues using test accounts only and if you're unable to reproduce an issue with a test account, then it is okay to use a real account you own or you have to get permission from the account owner. Adding Facebook implemented certain limitations for the test accounts.

I stuck with the last one. Can't convert to a real user account. Ok let's try it.

I tried for about a day in different ways like using the fake email at account recovery system and so on but failed.

I was like






And then I thought that I might find a way abusing facebook oauth system with test accounts. Navigated to few sites which allows login with facebook.

But when I tried login with facebook, It shows an error. Oops!! again screwed.

Then I decided to stop there and went to bed because it was 3 AM at night. In the next day, …

Download Guarded Profile Picture From Facebook

Image
Facebook recently introduced a feature called Profile Picture Guard. It protect others from downloading your profile picture. If you want to know more about it, you can read it here Profile Picture Guard | Facebook Help.

When turning on Profile Picture Guard, Facebook assure you that no one else can download your profile picture. Really??? 😆😆😆 Never!!!

I worked some time on it to see how can I bypass this restriction. Tried calculating the url to cdn but it requires a signature to access the file. Tried to view image and change dimensions and the result is negative.

What's next?

Think out of the Box.





I think I should leave it and change my target first. Then I decided to test it from my another account to check is there a way to bypass it.

Opened the profile picture and copied the url. Then I opened incognito to login to other account. Went to the url that I copied earlier and I was about to type my username and password in the login form at the top of page. Suddenly a pop up ca…