Monday, July 23, 2007

Moods (Emoting)

This one's very interesting. Moods is vulnerable to the typical problem that we've seen in the past. Mainly, viewing a non-friend's mood history. In order to check out someone's history, simply alter the following url.

Obviously substituting the person's id for the uid variable.

Now, here's the twist with this application. It doesn't even check to ensure that you are trying to set YOUR OWN MOOD! Yes, you can update someone's mood for them. Simply go to and copy the link to Update My Mood. It'll look something like the following. Now just substitute the proper ID for fb_sig_user.

My Greeting Cards

*Yawns* Same thing. My Greeting Cards Allows you to send greeting cards to non-friends. Custom text can be sent along with the card as well.

  1. Click on My Greeting Cards application.
  2. Enter a friend's name.
  3. Change recipient_id value.
  4. Send gift


I'm seeing a trend here... Superlatives allows you to make predictions about friends that others can vote on, like "so and so is most likely to sell their soul for a donut." Cute. Except you can predict about non-friends too.

Easter Egg

Another non-friend attack. Easter Egg lets you post messages on your profile that only certain friends can read. Like other apps, you can trick it into leaving messages for people who aren't your friends. Because it's on your profile there isn't much danger here, but the app will give you the option of sending a notice to the recipient. They might not appreciate receiving messages from people they haven't added as friends, but that's about as much damage as you can do with this bug.

Sunday, July 22, 2007

Poke Pro

Poke Pro allows you to do any number of actions to a friend. At least, that's what it's supposed to allow. Poke Pro also allows you do do these events to anyone with the application in their profile... friend or not.

Poking random people
  1. On your own profile, enter the name of a friend in your Poke Pro box.
  2. Alter the id value to reflect the id of the person you wish to poke.
  3. Go!

How annoying would it be to constantly get drop kicked by people you don't know?

Fun Wall

The Fun Wall application has the same vulnerability as the aforementioned Super Wall application. You can post messages on a wall as another person.

Exploiting the identity theft.

  1. Proceed to the target's profile.
  2. Enter the desired message into the Fun Wall form.
  3. Change fb_sig_user to the id of the person you wish to post as. (Firebug)
  4. Post.

Sticky Notes

The Sticky Notes application contains a vulnerability that allows you to send a sticky note to any Facebook member, even if they aren't your friend. The application description suggests that this is not the designer's intention.

This can be exploited by writing a new note, and when you're asked to choose the recipients:
  1. Enter the name of one of your friends.
  2. Find the Facebook ID of the person you want to send the sticky to.
  3. Substitute the form's recipient1 value with the ID of your target. (Firebug makes this easy.)
Too easy. Why are we letting amateurs write code for a social networking site of this stature?