Sunday, July 22, 2007

Fun Wall

The Fun Wall application has the same vulnerability as the aforementioned Super Wall application. You can post messages on a wall as another person.

Exploiting the identity theft.

  1. Proceed to the target's profile.
  2. Enter the desired message into the Fun Wall form.
  3. Change fb_sig_user to the id of the person you wish to post as. (Firebug)
  4. Post.


David said...

How would you suggest to identify users if you don't use fb_sig_user? Or is there some extra information you can use to determine if it's forged?

SerajewelKS said...

Facebook adds a hidden input with a cookie, which most applications seem to use without trouble to verify the ID of the user posting. Most of the wall applications we've tested will detect when you try to do this and give some error like "you must log in."

Presumably there is some API developers can use to verify the login information.

stefan said...

doesnt seem to work anymore. what about editing fb_sig_session_key - the user's id is listed in there also. even editing that didnt do it ... still posting as me

yerson pinto said...

TW: @Sagolnm

GAME OVER - Sago (Prod. By 24Hstudios)