Skip to main content

Indian Hacker Gurukrit Singh Revealed The Way To Hack Millions OF Facebook Accounts

gurukrit singh facebook hack
News Compressed : A Indian white hacker from califronia Gurukrit Singh revealed shows how easily he could’ve exploited Facebook’s password reset mechanism to hack numerous Facebook accounts. He do this by requesting 2 million valid facebook users password reset at short period by using their ID.
What he did
He said:

 To send emails, you first need to get access to 2 million Facebook usernames. Web scraping time! Point 1: Facebook IDs are generally 15 digits long, so I started with 100,000,000,000,000 and started making queries to Facebook Graph API to check which IDs were valid. I was also able to get profile picture and full name on the user’s account with ease since it seems there is no rate-limiting on public data (I just did it for fun). But wait! Facebook Graph API only lets authorized apps to fetch a user’s username, doesn’t it? Yes it does. Yes it does.

All you have to do after making sure the ID is valid is visit the following link: www.facebook.com/[ID HERE] and the url automatically redirects and changes the ID to the user’s username. So I compiled all this data into a nice JSON, which I guess doesn’t hurt to publish since it’s all public anyway. Note: Some of the profile picture urls in the JSON are invalid. Link to the 2 million usernames: https://drive.google.com/open?id=0B8yZwAxAk9KZTjhvbTdYZVNoY2s

In order to avoid getting your IP blocked from repeatedly sending requests to send password reset emails, you need rotating IPs. This means that every email request will be sent from a batch of thousands of IP addresses to simulate a normal global network flow. There are several services online that offer this feature. In my case, all network traffic went through a proxy server that listened for HTTP requests and arbitrarily assigned an IP address to each request.

You need to simulate user behavior when requesting a passcode. So we will use PhantomJS (Headless browser) and write a multithreaded script in Java that requests a passcode to every user from our JSON file. I also scraped all User Agent strings for a Chrome browser from http://www.useragentstring.com/pages/useragentstring.php?name=Chrome to assign to my PhantomJS instance

Got a free trial of Google Compute Engine and hosted my scripts on a virtual machine. I set up 8 VMs (12 cores/20 GB RAM each) over different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization. Then I let all my scripts do their thang4

Easier Part: Brute Force Guessed Passcode Against 2 million IDs.
I then guessed a 6 digit passcode 338625 using the aforementioned rule and brute forced all users at the following url by adding the ID to the key ‘u’ and my passcode to the key ‘n’: www.beta.facebook.com/recover/password?u=…&n
For More go to hackernoon.com
Important: Please note that this article is only for educational purposes.


Labels:

Popular posts from this blog

FACEBOOK PROVIDES EXPRESS WIFI SERVICE IN INDIA- AFTER FAILURE OF FREE WIFI INITIATIVE

Free wifi service was blocked by indian telecome regulators Facebook the biggest social media company recentley join initiative to provide free internet service in india. But their free internet service app was blocked by India's telecome regulators because it's violates the principle of neutrality , by this principle we means facebook are only providing access to only limited websites & services people have to pay if they want to use other services. Now they launch express wifi service in india. In expresse wifi a user need to purchase from there local service provider if they want to access the web Facebook offered this wifi services in 125 rural area with affordable prices. By this people can buy data packets from there nearest internet services provider in order to access internet. Now, Facebook has partnered with state-owned carrier Bharat Sanchar Nigam Ltd to increase its Express Wi-Fi program into a commercial launch, rolling out 125 rural ...
1 comment
Read more

Anonymous Hacker Serve 16 Year In Jail For Exposing Steubenville rapists - Is That Justice

News Compressed : A anonymous hacker exposed the gang rapist of teenager of Steubenville, Ohio by hacked into the high school’s football sports fan site Roll Red Roll and found evidence of the 2012 rape case & also uploaded a video that showing the evidence of rape case but instead of look out those evidence federal government get anonymous hacker who help to expose those rapist in jail for 16 year and rapist still walks free. --------------------------------------------------------------------------------- I don't know what the hack is wrong with federal government and we can see and everyone can see it clearly the person who exposed the rapist of 14 year old girl and help minor are now himself faces jail for 16 year just for hacking a website for helping a minor( Meanwhile the rapist exposed by hacker are already free ) Means everything he did for exposing those rapist is waste The court finds him guilty in this case the defense of hacker  Deric Lostutter said t...
Post a Comment
Read more

Snap-chat launched Spectacles - Sunglasses With Camera

S napchat today is most widley used image messaging application created by  26-year-old creator Evan Spiegel and his team. SNAPCHAT Snapchat is actually a image message fun application from which you can take a photo or video of something then add a caption or doodle or lens graphic over top then share it with friends. This actually sends photo and video with friends called-- snaps the snap you share can with friend can only view for 10 sec than snaps  disappeared. Spectacles snapchat has announced their first gadget on friday called spectacles ------ A sunglass with camera The price of spectacles can go later this year at $130 (£100). The spectacles can record video upto 30 sec only the light on the front of glass indicates the people that spectacles are recording Footage will be recorded in a new, circular format which can be viewed in any orientation, the company said. The battery on the device will las...
Post a Comment
Read more