Skip to main content

Indian Hacker Gurukrit Singh Revealed The Way To Hack Millions OF Facebook Accounts

gurukrit singh facebook hack
News Compressed : A Indian white hacker from califronia Gurukrit Singh revealed shows how easily he could’ve exploited Facebook’s password reset mechanism to hack numerous Facebook accounts. He do this by requesting 2 million valid facebook users password reset at short period by using their ID.
What he did
He said:

 To send emails, you first need to get access to 2 million Facebook usernames. Web scraping time! Point 1: Facebook IDs are generally 15 digits long, so I started with 100,000,000,000,000 and started making queries to Facebook Graph API to check which IDs were valid. I was also able to get profile picture and full name on the user’s account with ease since it seems there is no rate-limiting on public data (I just did it for fun). But wait! Facebook Graph API only lets authorized apps to fetch a user’s username, doesn’t it? Yes it does. Yes it does.

All you have to do after making sure the ID is valid is visit the following link: www.facebook.com/[ID HERE] and the url automatically redirects and changes the ID to the user’s username. So I compiled all this data into a nice JSON, which I guess doesn’t hurt to publish since it’s all public anyway. Note: Some of the profile picture urls in the JSON are invalid. Link to the 2 million usernames: https://drive.google.com/open?id=0B8yZwAxAk9KZTjhvbTdYZVNoY2s

In order to avoid getting your IP blocked from repeatedly sending requests to send password reset emails, you need rotating IPs. This means that every email request will be sent from a batch of thousands of IP addresses to simulate a normal global network flow. There are several services online that offer this feature. In my case, all network traffic went through a proxy server that listened for HTTP requests and arbitrarily assigned an IP address to each request.

You need to simulate user behavior when requesting a passcode. So we will use PhantomJS (Headless browser) and write a multithreaded script in Java that requests a passcode to every user from our JSON file. I also scraped all User Agent strings for a Chrome browser from http://www.useragentstring.com/pages/useragentstring.php?name=Chrome to assign to my PhantomJS instance

Got a free trial of Google Compute Engine and hosted my scripts on a virtual machine. I set up 8 VMs (12 cores/20 GB RAM each) over different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization. Then I let all my scripts do their thang4

Easier Part: Brute Force Guessed Passcode Against 2 million IDs.
I then guessed a 6 digit passcode 338625 using the aforementioned rule and brute forced all users at the following url by adding the ID to the key ‘u’ and my passcode to the key ‘n’: www.beta.facebook.com/recover/password?u=…&n
For More go to hackernoon.com
Important: Please note that this article is only for educational purposes.


Labels:

Popular posts from this blog

Install Social Engineering Toolkit on (Windows)

                 Social Engineering Toolkit on (Windows)   Social engineering Toolkit is used by penetration tester for ethical hacking.Social engineering toolkit is a design to perform the advance attacks Attacks like  : 1.spare-phishing attack vector                                                2.fast-track penetration attacks                                                                              3.website attack vector                            4.Infectious USB/Cd/DVD generator                                                                                   5.Mass mailer attack    Social engineering toolkit is a  pre-installed in some platform like backtrack, kali linux etc.These platform are Linux-distribution aimed for penetration testing and  used in digital forensic.    Social engineering toolkit Installing Toolkit in windows 1.To install social networking on your windows you first need to download Python and install it on your wind
Read more

New Iphone let's You To Send/Read Whatsapp Messages From Siri command - Feature Leaked

A leaked Whatsapp  translation request showed the feature News Compressed :   The leaked whatsapp translation reveal a new feature in iphone siri voice.  Soon you can make an command on your iphone for sending/reading whastapp messages using siri voice, this feature will be available on ios 10 which expected to release on September. Iphone the world most selling phone not because of it's features&look but it just because of a rumor that makes iphone user a rich look.  Siri is a feature of iphone first integrated on iphone ios 5  and become famous worldwide. Iphone company apple likes to give their user surprises. This time a leaked whatsapp translation reveal this new feature of Siri voice commands for sending and reading messages, apart from making voice calls.  that will available on ios 10 which will release on september Before go more further first  let's see what is Siri Siri is a computer program that works as an intelligent personal ass
Post a Comment
Read more

About Reliance Jio

How's guys we are back again and this time will talk about a company whos back with his new free unlimited internet sim. Yes, Reliance company is back with his sim reliances jio which become world famous in couples of day and make around  billions of sim customers worldwide. Reliance increases their customers by providing free 3 month unlimited 4G internet sim and it's happen quite same. Jio Jio, also known as Reliance Jio, is a Mumbai-based provider of 4G internet, mobile telephony, broadband services, anddigital services in  India (wiki) The reliance was first provide free jio sim to limited mobile user but now Samsung, LYF, micromax, HTC, Lenovo, SONY, Intex, Vivo, LAVA, Panasonic, Gionee, ASUS, Moto, XoLo, Karbonn, LG, Infocus, Huawei, Videocon, Celkon, Sansui, Alcatel, TCL Smartphones , can also take that sim for free
Post a Comment
Read more