Skip to main content

Indian Hacker Gurukrit Singh Revealed The Way To Hack Millions OF Facebook Accounts

gurukrit singh facebook hack


News Compressed : A Indian white hacker from califronia Gurukrit Singh revealed shows how easily he could’ve exploited Facebook’s password reset mechanism to hack numerous Facebook accounts. He do this by requesting 2 million valid facebook users password reset at short period by using their ID.


What he did
He said:

To send emails, you first need to get access to 2 million Facebook usernames. Web scraping time! Point 1: Facebook IDs are generally 15 digits long, so I started with 100,000,000,000,000 and started making queries to Facebook Graph API to check which IDs were valid. I was also able to get profile picture and full name on the user’s account with ease since it seems there is no rate-limiting on public data (I just did it for fun). But wait! Facebook Graph API only lets authorized apps to fetch a user’s username, doesn’t it? Yes it does. Yes it does.

All you have to do after making sure the ID is valid is visit the following link: www.facebook.com/[ID HERE] and the url automatically redirects and changes the ID to the user’s username. So I compiled all this data into a nice JSON, which I guess doesn’t hurt to publish since it’s all public anyway. Note: Some of the profile picture urls in the JSON are invalid. Link to the 2 million usernames: https://drive.google.com/open?id=0B8yZwAxAk9KZTjhvbTdYZVNoY2s

In order to avoid getting your IP blocked from repeatedly sending requests to send password reset emails, you need rotating IPs. This means that every email request will be sent from a batch of thousands of IP addresses to simulate a normal global network flow. There are several services online that offer this feature. In my case, all network traffic went through a proxy server that listened for HTTP requests and arbitrarily assigned an IP address to each request.

You need to simulate user behavior when requesting a passcode. So we will use PhantomJS (Headless browser) and write a multithreaded script in Java that requests a passcode to every user from our JSON file. I also scraped all User Agent strings for a Chrome browser from http://www.useragentstring.com/pages/useragentstring.php?name=Chrome to assign to my PhantomJS instance

Got a free trial of Google Compute Engine and hosted my scripts on a virtual machine. I set up 8 VMs (12 cores/20 GB RAM each) over different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization. Then I let all my scripts do their thang4

Easier Part: Brute Force Guessed Passcode Against 2 million IDs.
I then guessed a 6 digit passcode 338625 using the aforementioned rule and brute forced all users at the following url by adding the ID to the key ‘u’ and my passcode to the key ‘n’: www.beta.facebook.com/recover/password?u=…&n
For More go to hackernoon.com
Important: Please note that this article is only for educational purposes.


Popular posts from this blog

Whatsapp privacy policy changed Now sharing User Whatsapp Info With Facebook Public

News Compressed :  Facebook changed whatsapp privacy policy and let people on facebook to contact user whatsapp number, means whatsapp will share their user info with facebook. Company said this step will help you provide relevant friend suggestion and help people to tackle spam abuse this step might help facebook to generate revenue. Whatsapp which was before add free has changed their privacy policy since the firm bought by facebook on 2014 Whatsapp now-sharing their users private info with facebook and let some companies on facebook to find people on whatsapp and advertised them-self which might help facebook to earn revenue from company to advertise them on whatsapp users. Facebook sharing user info and breaking the whatsapp old privacy policy betrayed many many peoples but whatsapp says that sharing user info in public help them to find more relevant friends on facebook and help user to tackle Spam&abuses source bbc. " Ms Clark-Dickson said users...

Hacker Demand $568 Million - To Leaked NSA's Private Hacking Tools Online

Hacker Demand $568 Million - To Leaked NSA's Private Hacking Tools Online News Compressed : A group of hackers name "the shadow brokers" allege to hacked NSA( National security agency) and dumped their some private hacking tools online and exploits. They demand 1 million dollars to leak all there hacking tools but it's not confirmed if the leaked documents are legitimate, but some security experts believe it's real The National security agency reported has been hacked by group of hackers name "The shadow brockers".  The incident takes place on 13th august when the group of hackers claimed to hacked the NSA's hackers group -- "Equation ", the hacking group that’s assumed to be the national security agency"-- And dumped hacking files which it claimed came from the Equation Group in two days after hack on Github  and Tumblr   The hackers leaked some files sample these files also having a similarity with NSA’s hackin...

Skullcandy To Launch A Cool Wireless Headphone in India

The Well Known Sound Devices brand Skullcandy will launch Grind Wireless Headphone with Bluetooth functionality in India at a price range of Just Rs 6,499. These New Headphones are the upgraded version of Grind 2.0 and will be exclusively available at Croma store near you. The Grind features look similar to Grind 2.0 but some enhancement is done to get great  sound over your Bluetooth connection. This New Headphone  has all functions like calling, track and volume controls on the right ear cup.The battery life of the headphone will standby up to 12 hours on a full charge. We here at Hackulife . blogspot . com Highly Reccomend to use this product simply This headphone is great as compare to the other brands headphones it comes with high end quality speakers less distortion and no barriers at all. So, Don't Be Shut Out Rush to your nearest Croma Store Right now .