Facebook Hacking | Do You Know Your Friends?

So this is less a step by step tutorial and more an explanation of what the method involes and to bring to light how simple facebook hacking is. I stand by a simple thought, don’t hack someone’s stuff. Whether it be their facebook, their email, or just reading their texts when they’re not around. If you really have that much of a breach in your trust, then the answer is already clear that you shouldn’t have that person in your circle of life. But this isn’t a post on ethics, this is a post on facebook hacking and this is for EDUCATIONAL PURPOSE ONLY.

Do You Know Your Friends?

So when someone asks me about hacking facebook, they tend to think I have some top secret button that instantly turns a victims account into my own. I once proved an exploit in WiFi and Cookies by gaining access into a friend’s account while I was driving on the Autobahn to France. Sure it looked like a uber-secret method, but the idea was simple and widely available for anyone to research. That method itself has been patched, hence why you were forced to enable Secure Browsing. Now a new method has appeared, one that enables an exploit in society rather then in computers: Your “Friends”.

Statistics have shown that the average person has to remember almost 8 passwords for their daily life: Email, Bank, Social Media, etc. It’s very common that these passwords are set to being the same (huge security risk in itself) or they are set differently, and then subsequently forgotten (you try remembering @A34wdrkj1!23S34 among 7others). Every site that requires a password offers, to solve this common issue, a way to Reset Your Password in the event that you forgot. Facebook is no different.

The common approach is to press the Forgot Password button and have a new password either Emailed or Texted to you. Facebook incorporates those two options and even goes a step further. Say you don’t have access to either your original email or phone. I know I joined Facebook back when we originally had Comcast and I went by “jarhead4life2008”. I also had a totally different cellphone since I was with Verizon at the time, (who really updates that stuff in Account Settings?). So facebook incorporated the “Ask a friend” option.

Originally, Facebook would ask you to identify 3 of your friends, randomly chosen, by name or fact. For instance, it may select your mom and ask for her last name. But then it may ask for the random guy that you befriended and wants to know where they live. This eventually led to a lot of criticism for Facebook since legitimate users couldn’t remember all their friends and answer the questions (some people have over 300+ “friends”). A person who’d want to take over an account, “hack it”, would simply have to do some research, or just load up facebook on another web browser, and while they’re being asked questions on one browser for their victim’s friends, they’re researching the answers on another browser. This is made even more easier when the hacker befriends their victim first, and then views all the “Public” profiles or the “Share with friends of friends” profiles. (As my friend always quoted “‘Gots to be mo’ careful”)

So Facebook changed up the Friend’s option for resetting password, and you’d think it would become harder to get someone’s acount, right? Wrong again, it just takes a little longer. With about 1 week, I could hack someone’s account, and add enough buffer time to make sure I wasn’t able to be caught. The method? Well it’d simply would be the same idea of using Friends and Resetting, but I’d have to create 3 separate accounts, hide any traces of me, make them look legitimate, and befriend my victim.

“Whoa now, why don’t you explain that a bit more?” So Facebook’s new Friend option involves, again, three friends. Instead of asking you for trivia on them, they are instead asked to aide. Facebook tells you to choose 3friends from your list of friends, and Facebook will then send a message to each friend with a private code that you’ll need to reset the password. The idea being, you call up your friends, be like “hey I forgot my password, can you help me.” They then text back some small code “ABCD”, each friend having a different code, and you type that in in order to reset your password. It’s actually a pretty intuitive idea, but the flaw is in the convenience of choosing whom to send those keys to.

Basically, I want to hack into “Joe’s” account, so I create three fake accounts: “Adam, Eve, and Steve” and have all three of them Friend-Request Joe. Joe accepts them for any number of reasons: We have mutual friends, Eve looks hot, Adam/Steve look hot?, or Joe is just a Friend whore that accepts everyone. This could take a few days, but on average people check their Facebook A LOT during the day, so it could be just a few hours even. I then proceed to try to reset Joe’s account, send the codes to Adam, Eve, and Steve’s email, Reset Joe’s password, then malicious-ness ensues.

Wait Just A Minute Mr. Haxor

Of course, Joe will realize he’s been hacked once his password no longer works, and also Facebook asks me to update the email to something new, so it won’t be hard for him to cry out “HACKED!!!” and then Facebook gets involved to save the day and look for you. So this would be where a hacker will have to be clever in hiding himself and I will NOT be going over how to do that in this tutorial, or any other ones (atleast for a little while to add a deterrent and hope this method gets patched). As they say though, if there is a will, there is a way, so I do hope people use judgement before doing anything stupid.


A Moment on Ethics

What you do and how you do it is your business. I will not go on to say the best approaches to living your life. I will however make a few things clear. Being known as a hacker doesn’t mean I condone malicious acts like hacking peoples accounts, especially not friends, family, etc. If you have a boyfriend/girlfriend/spouse/coworker/enemy whatever that you really think is up to something, don’t resort to hacking their privacy. If there is so little to no trust, end it. And if you’re married to them, get counseling (I really don’t like the idea of divorces, but that’s another topic). You should not be tempted to break into their Emails/SocialNetworks/Phones whatever just to prove some ill-conceived thought you have. In the event that you’re right, sure you’ll have the peace of mind knowing you were right, but the only next step is a disastrous fall out. If you’re wrong, then where does it end, you didn’t trust them this time though they passed your test, but maybe they fail next time? I have never seen a person hack an account of someone they knew and it was just a 1 time deal. There was always a long-standing feeling that something is going on and they must constantly check. Don’t do it. Talk with them, if you don’t trust em, leave em (unless you’re married to them….)


So yea……..Hacking Facebook Accounts.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.