Exploiting the identity theft.
- Proceed to the target's profile.
- Enter the desired message into the Fun Wall form.
- Change fb_sig_user to the id of the person you wish to post as. (Firebug)
- Post.
Sunday, July 22, 2007
Fun Wall
The Fun Wall application has the same vulnerability as the aforementioned Super Wall application. You can post messages on a wall as another person.
Exploiting the identity theft.
Exploiting the identity theft.
Subscribe to:
Post Comments (Atom)
4 comments:
How would you suggest to identify users if you don't use fb_sig_user? Or is there some extra information you can use to determine if it's forged?
Facebook adds a hidden input with a cookie, which most applications seem to use without trouble to verify the ID of the user posting. Most of the wall applications we've tested will detect when you try to do this and give some error like "you must log in."
Presumably there is some API developers can use to verify the login information.
doesnt seem to work anymore. what about editing fb_sig_session_key - the user's id is listed in there also. even editing that didnt do it ... still posting as me
pin:215CF8B1
TW: @Sagolnm
GAME OVER - Sago (Prod. By 24Hstudios)
Youtube:
http://www.youtube.com/watch?v=fBD3fU4g6Vo
Post a Comment