Search the Community

Do you know that your Facebook account can be accessed by Facebook engineers and that too without entering your account credentials? Recent details provided by the social network giant show who can access your Facebook account and when. No doubt, Facebook and other big tech companies including Google, Apple and Yahoo! are trying to keep their data out of reach from law enforcement and spies agencies by adopting encrypted communication and end-to-end encryption solutions in near future, but right now they have access to your personal data, and at least few of their employees can access it with one click. Earlier this week, director at the record label Anjunabeats, Paavo Siljamäki, brought attention to this issue by posting a very interesting story on his Facebook wall. During his visit to Facebook office in LA, a Facebook engineer logged into his Facebook account after his permission, but the strange part — they did it without asking him for the password. ACCESS WITHOUT NOTIFICATION Facebook even didn’t notify Siljamäki that someone else accessed his private Facebook profile, as the company does when your Facebook account is accessed from any new device or from a different Geo-location. Siljamäki got in contact with Facebook in order to know how many of Facebook's staff have this kind of 'master' access to anyone's Facebook account and when exactly they can access users’ private data, and also, how would anyone know if his/her Facebook account has been accessed. When the social network giant asked about how the employee got access to user’s Facebook account without entering the account credentials, Facebook issued the following statement: WHO CAN ACCESS MY FACEBOOK ACCOUNT? The company didn’t explain exactly who can access what, but it assured its users that the accounts access is tiered and limited to specific job function. The access to accounts are granted to most employees in order to reply to a customer request for information or error report. In short, the social network giant has a customer service tool that can grant Facebook employees access to a user’s account. Facebook runs two separate monitoring systems that generate weekly reports on suspicious behavior which are then reviewed and analyses by two independent security teams, specifically a selected group of employees. Facebook gives a strict warning when hired employees to use this tool and fired any employee directly who abuse it. So, you need not to worry about Mark Zuckerberg accessing your account, unless you yourself ask Facebook for help with something and have given permission. Source

Vand cupon Facebook de $500 pentru reclame. Poate fi folosit doar de noii advertiseri. Iau in considerare doar ofertele serioase. Reply sau PM!

Less than two months into the year and Facebook said it has already validated more than 100 submissions to its bug bounty, demonstrating a consistently growing interest in such programs industry wide. “Report volume is at its highest levels, and researchers are finding better bugs than ever before,” said Colin Greene, security engineer at Facebook. Today, the social network reported its final bug bounty submission and payout numbers for 2014. Most notable: 61 percent of eligible vulnerability submissions were rated high severity by Facebook; that number eclipses 2013’s numbers by 49 percent. Overall, Facebook said it received 17,011 submissions, a 16 percent jump year over year, resulting in more than $1.3 million paid out to 321 researchers worldwide, an average payout of $1,800. Of the $1.3 million paid out, more than $250,000 went to the top five participants. Since the bounty program began in 2011, Facebook said it has paid out more than $3 million. Last week at the Kaspersky Lab Security Analyst Summit, HackerOne chief policy officer Katie Moussouris said it’s important that vulnerability disclosure programs directly feed an organization’s software development lifecycles. She also stressed the importance of strategic thinking with regard to bounty programs, for example, concentrate not only on finding and fixing one-off bugs, but also focus on eliminating classes of vulnerabilities and the development of mitigations as well. For its part, Facebook said its bounty program helped uncover a number of potentially serious vulnerabilities, including the discovery of hidden input parameters causing downstream issues. “After we fixed the instance from this report, we also fixed a few other spots and made improvements around duplicate parameters so that issues like this shouldn’t happen again,” Greene said. Greene also provided another example where legacy REST API calls were allowed to be made on behalf of any Facebook user because of a misconfiguration issue. An attacker would need only the user ID which could be obtained from the user’s profile or Graph API, Green said. Facebook has invested continuously in its bounty program. Last fall, it announced that it was adding an incentive for researchers to find bugs in its ads code. In particular, Facebook was hoping for some additional eyeballs on its ads code user interface, which includes the Ads Manager and Power Editor tools that enable users to edit and upload bulk ads—a number of permissions-based security issues arose in both of those areas, Facebook said. Also, its Ads API is an area Facebook said was also in scope. More than a year ago, Facebook paid out its largest bounty to date, $33,500 to Brazilian researcher Reginaldo Silva for a remote code execution vulnerability he reported in the OpenID implementation in Facebook that paved the way for attackers to pull of XXE attacks. Source

Am luat si eu un S3 Mini I8200. Telefonul se misca bine pentru ce am eu nevoie (net, muzica, o poza-doua uneori). Treaba e ca consumul de ram mi se pare exagerat, adica imi arata in jur de 75-81%, asta in cazul in care am 3-4 aplicatii deschise (facebook + messenger, mail, youtube si cam atat). E normal sa imi consume 75% din ram, avand in vedere ca telefonul are 1gb ?

My working facebook account hacker blog: Hack facebook account password online De asemenea alt proiect Isis simulator preluat chiar de Pewdiepies :

[+] AnonGhost Auto SQLi Query Maker [+] https://ghostbin.com/paste/hd26gkco [+] Facebook XMPP Chat Protocol Bruteforce [+] https://ghostbin.com/paste/oynf9bt2 [+] Facebook Brute Reset Codel [+] https://ghostbin.com/paste/e5te5umj [+] Ftp Brute Force [+] https://ghostbin.com/paste/3sxovcuh/edit [+] Facebook Pentester [+] https://ghostbin.com/paste/qyns3ox7 [+] Twitter Brute Force [+] https://ghostbin.com/paste/nubyt3vh Password = ./d3f4ult_v1rUsa

Pm

This week, a researcher named Laxman Muthiyah discovered up a bug that let him delete any photo album on Facebook, and walked away with $12,500 for his trouble. The bug targeted Facebook's Graph API, which lets users delete their own photo albums with a single command, corresponding to the "delete album" button. Because of a mistake on Facebook's part, that request could potentially target any album on the network that the user had access to view, as long as the user was logged in through the mobile version of the API. After some troubleshooting, Muthiyah settled on the following request as the silver bullet for deleting any album off the network: Request :- DELETE /518171421550249 HTTP/1.1 Host : graph.facebook.com Content-Length: 245 access_token= facebook_for_android_access_token Muthiyah reported the vulnerability to Facebook and the company wrote back in just two hours, saying the bug was fixed and offering him $12,500 through Facebook's bug bounty program. Presumably, the fix was simple — altering the mobile app permissions was likely enough — but it's a reminder of how much damage even a small bug can do. Sophos has already speculated that the bug could have been used to delete every photo on Facebook, but such an attack would be unlikely, since the bug does not seem to have allowed for access to any private accounts. Luckily, Muthiyah did the right thing and reported the bug, walking away with a sizable reward. "We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims," said a Facebook representative. "We’d like to thank the researcher who reported the issue to us through our bug bounty program." Sursa: http://www.theverge.com/2015/2/12/8026159/facebook-photo-album-vulnerability-bug-bounty

Section 1: Introduction 1.1 Overview Lately, a new malware has been seen spreading on Facebook.Facebook is an online social networking service which had over 1.3 billion active users as of June 2014. At that moment, three different variations and spreading methods have been observed. According to the samples that have been acquired,there are three quick campaigns that had been launched. There are some similarities on the way the malware achieves that huge amount of infected victims with a combination of pre-registered domains in the role of C&C server. 1.2 Background ? close friend of mine, who specialize in social media marketing and management, called me late at night requesting my help. He was terrified about the fact that most of his friend on Facebook platform, have been posting status with strange links.Having really a strong interest in malware researching, I decided with a friend to fully understand the process of infection and spreading. Read more: http://dl.packetstormsecurity.net/papers/general/facebook_malware.pdf

Am nevoie de om care imi poate livra zilnic minim 500 like-uri la o pagina Facebook, ma intereseaza romani. Astept PM.

If someone shares a porn video on Facebook, beware. The latest threat to users involves a fake Flash Player update which pops up during a preview of a pornographic video. Once you click on the link to update your video player, malware (the name given to malicious software), downloads onto your computer. This Trojan horse software gives the creator of the malware remote access to your computer. They can then download viruses onto your computer. Security researcher Mohammad Faghani alerted users to the threat in a post on the Full Disclosure blog, which flags up network vulnerabilities. "The Trojan tags the infected user's friends with an enticing post," he explained. Faghani warned that the malware then tags up to 20 friends of the victim in the malicious post, thus leading to a larger number of those who could be affected. He believes it could "infect more than 110,000 users in two days". Faghani also said the malware was able to hijack keyboard and mouse movement. In response, Facebook said it was aware of the problem and was working to block it. In a statement issued to security news website Threatpost, a Facebook spokesperson said: "We use a number of automated systems to identify potentially harmful links and stop them from spreading. "In this case, we're aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. "We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook." Last week, a hacker group called Lizard Squad had hinted it was responsible for the Facebook, Instagram and Tinder going down. Facebook denied it was hacked, saying the access issues were "not the result of a third party attack". Source

Am vazut ca sunt destui membrii RST care vor sa stie cat mai multe despre facebook ads, cum sa creezi o campanie eficienta fara sa platesti multi $. Am gasit acest articol destul de interesant, sper sa va fie de folos: Are Facebook ads working for you? Are you looking to get a better return on your Facebook ad investment? To get the best performance from ads, you need to make sure they reach the right audience. In this article you’ll find 15 ways to set up and optimize your Facebook ads. #1: Keep Mobile and Desktop Ads Separate Use separate ad sets for mobile and desktop so you can optimize your ads, bids and conversions based on device. Ads and calls to action are likely to perform differently on desktop versus mobile, and any ad setup should take that into account. If you’re using Power Editor, you can select the device targeting directly from the Ad Set menu. #2: Optimize Desktop News Feed and Right-Column Ads Separately One of the best practices in marketing is to set up highly segmented ads. Separating desktop news feed and right-column ads is necessary for optimizing campaigns by device, placement and any other targeting option. MORE: 15 Ways to Optimize Your Facebook Ads | Social Media Examiner

Down For Everyone Or Just Me -> Check if your website is down or up? https://isitup.org/ https://downdetector.com/status/facebook

Salut, de curand am observat o metoda de a afla parole facebook, in mas?. ?in sa precizez, nu este nimic ilegal in metoda asta. Daca doriti, v? voi trimite în privat, metoda! Ofer aceast? metoda, doar userilor cu vechime.

Facebook Multi-Page/Group Poster

Cumpar conturi facebook (facute de voi) cu mail si 2000+ prieteni ( nu ma intereseaza din ce tara sunt ) Ofer preturi bune PM

Document Title: =============== Facebook Bug Bounty #19 - Filter Bypass Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1381 Facebook Security ID: 221374210 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/01/14/facebook-bug-bounty-restriction-filter-bypass-vulnerability-id-221374210 Release Date: ============= 2015-01-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1381 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The independent Vulnerability Laboratory Researcher Paulos Yibelo discovered a limitation bypass vulnerability in the official Mobile Site and mobile app (android/ios). Vulnerability Disclosure Timeline: ================================== 2014-12-10: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) 2014-12-11: Vendor Notification (Facebook Security Team - Bug Bounty Program) 2014-12-15: Vendor Response/Feedback (Facebook Security Team - Bug Bounty Program) 2015-01-12: Vendor Fix/Patch (Facebook Developer Team - Reward: Bug Bounty) 2015-01-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A restriction/limitation bypass web vulnerability has been discovered in the official Facebook Mobile web-application framework. Facebook limits a name change for 60 days before a new name is applied. The advisory explains how i was able to bypass the restriction to change my `Alternative name` using parameter session tampering. First the attacker uses a restricted account (60 day) and review the changes by using a session tamper. By a permanent exchange of the name values the service updates the name value through the mobile service without usage of the secure restriction mechanism. Remote attackers are able to bypass the restriction to exploit the vulnerability. The attack vector of the issue is location on the application-side and the request method to inject is POST. Using this bug, a local attacker (a logged in user) can impersonate other users to manipulate their friends and change back to their account name (bypassing the 60day restriction). The security risk of the filter bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the filter mechanism vulnerability requires a low privileged web-application user account without user interaction. Successful exploitation of the bypass issue results in unauthorized account name changes through alternative name inputs. Request Method(s): [+] POST Vulnerable Service(s): [+] Facebook - Mobile Website [+] Facebook Apps - Apple iOS & Android Vulnerable Module(s): [+] ./settings/account/ Vulnerable Parameter(s): [+] name Proof of Concept (PoC): ======================= The bypass vulnerability can be exploited by remote attackers with a restricted user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Requirements: Attacker needs an account that changed its name and is limited for 60 (x) days before making any other changes Manual steps to reproduce the vulnerability ... 1. Go to https://m.facebook.com/settings/account/?name&refid=70 2. Click review changes and tamper the request, change the value of alternative name to anything 3. Continue the request and save the changed value 4. Submit request, then enter your test account password 5. Name value is changed even if time restriction was set Note: Alternative name shall then be updated too 6. Facebook vulnerability successful exploited! Reference(s): https://m.facebook.com/settings/account/?name&refid=70 Security Risk: ============== The security risk of the restriction/limitation bypass vulnerability in the change name function is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Paulos Yibelo (paulosyibelo.com) Source

Salutare, De putin timp mi-am inceput activitatea pe acest blog: Photography Este un blog de fotografie, unde postez fotografii realizate de mine, sau tot felul de informatii despre domeniul fotografic. Va asteptam cu mare drag. Da.. Si am deschis si o pagina de facebook unde o sa postez majoritatea fotografiilor, in special cele realizate in orasul Brasov. https://www.facebook.com/ArtaFotografieiBrasov01

FB Lead Chef v2.5.0.0 Testat si merge. FB Lead Chef is John Ashwin Christos’ product. With this product, you ll get an exact software, methods & strategies you can immediately use to force Facebook to send you brand new intelligent leads that convert like crazy. A Software System That Really Works because the developer are dedicated development team. Virus Total: SHA256: 6909ba1c26c15c2bc382540578b3cc9460a111d483697f627a 367bf47f35b8f4 File name: FBLC 2.5.rar Detection ratio: 2 / 54 Analysis date: 2014-06-15 06:53:36 UTC ( 1 minute ago ) Download Link:

Acum ceva vreme facusem un tutorial video pentru cateva persoane care ma stresau pe creier cu intrebarea : ba frate sparge-mi si mie un cont de facebook , si am decis sa le fac un tutorial cat de cat ok fara prea multe batai de cap ... Download: MD5 phising facebook - Download - 4shared GirlShare - Download MD5 phising facebook.rar Pass: MD5 > zettabyte (incepe asa 5825d73d1a079bd345f76e2c268*****) va descurcati voi

Salut RST, vreau sa aflu cine este in spatele unei pagini de facebook de genul Curve din ..... sau Cocalari din (oras) . Vreau sa aflu asta prin orice metoda, orice, am incercat sa fac ceva si am aflat doar un IP. Am inteles ca sunt mai multi Administratori, dar vreau macar sa aflu unul. Cum pot face asta? ceva de genul sa trimit o poza care sa aiba un keylogger, sau social engineering sau altceva. Va rog ajutati-ma cu asta, va voi ramane recunoscator. Multumesc PS. Cel mai bun prieten al meu a fost pus pe o pagina ca asta, vor sa se razbune pe el nu stiu din ce motiv si au ales metoda asta. Vreau sa aflu cine a facut asta si sa fie inchisa pagina respectiva.

M-am saturat sa tot postez pe pagina de facebook manual si m-am decis sa fac un script care sa posteze pe facebook automat o poza cu mesaj folosind cron. <?php require_once("/var/www/facebook/post/facebook-php-sdk-master/src/facebook.php"); $token_file = file_get_contents("token.txt"); $page_id = 45336456546456; $message = 'Post test'; $img_path = '/var/www/facebook/post/1.jpg'; $config = array(); $config['appId'] = '435646456456'; $config['secret'] = '456456dfge56t4e5tgedrg546te'; $config['fileUpload'] = true; $fb = new Facebook($config); $user_id = $fb->getUser(); if($user_id) { //comment this line after application approval if(empty($token_file)){ $json_response = file_get_contents("https://graph.facebook.com/me/accounts?access_token=".$fb->getAccessToken()); $decoded = json_decode($json_response, TRUE); foreach($decoded['data'] as $k => $v){ if(in_array($page_id, $v)){ file_put_contents("token.txt", $v['access_token']); } } } else { $params = array( "access_token" => $token_file, "message" => $message, "source" => "@" . $img_path, ); try { $ret = $fb->api('/'.$page_id.'/photos', 'POST', $params); echo 'poza uploadata'; var_dump($ret); } catch(Exception $e){ echo $e->getMessage(); } } } else { //comment this line after application approval $login_url = $fb->getLoginUrl( array( 'scope' => 'manage_pages,publish_stream') ); //comment this line after application approval echo 'Please <a href="' . $login_url . '">login.</a>'; //comment this line after application approval } //comment this line after application approval ?> Scriptul este departe de a fi perfect dar functioneaza dupa cum urmeaza: 1. inlocuiti variabile "page_id" cu id-ul paginii/contului 2. creati aplicatia in facebook developer si inlocuiti "appId" si "secret" 3. in setarile aplicatie trebuie sa adaugati adresa url unde va fi pus scriptul 4. creati fisierul "token.txt" cu drepturi de citire/scriere (se va stoca token-ul pt publicarea offline) 5. accesati pagina, apasati log in, acceptati aplicatia (de 3 ori ar trebui sa apara) 6. dupa care comentati liniile care contin comentul "comment this line after application approval" 7. puneti un cron din ora in ora ca de ex: 10 * * * * /usr/bin/php /var/www/script.php Have fun.

Salut! Stie cineva un hack(online daca se poate) pentru a intra in contul de faceook a cuiva? Sau de ai sterge contul fara sa stie?

XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers Hi, since I don't write much, let me first introduce myself. My name is Reginaldo Silva and I'm a brazilian computer engineer. These days I work mostly with information security, with a special interest in Web Application Security. I.E. if you let me, I'll find ways to hack into your site or application, hopefully before the bad guys do. You'll find a little more information about me going to my home page. Today I want to share a tale about how I found a Remote Code Execution bug affecting Facebook. Like all good tales, the beginning was a long time ago (actually, just over a year, but I count using Internet Time, so bear with me). If you find this interesting and want to hire me to do a security focused review or penetration testing in your own (or your company's) code, don't hesitate to send me an email at reginaldo@ubercomp.com. September 22nd, 2012 was a very special day for me, because it was the day I found a XML External Entity Expansion bug affecting the part of Drupal that handled OpenID. XXEs are very nice. They allow you to read any files on the filesystem, make arbitrary network connections, and just for the kicks you can also DoS the server with the billion laughs attack. I was so naive at the time that I didn't even bother to check if anyone else was vulnerable. I reported it immediately. I wanted to start putting CVEs on my resume as soon as possible, and this would be the first (it eventually got CVE-2012-4554 assigned to it). Only five days later it occurred to me that OpenID was pretty heavily used and so maybe other places were vulnerable as well. I decided to check the StackOverflow login form. Indeed, it was vulnerable to the whole thing (file reading and all). Then I decided to try to find OpenID handling code running inside Google's servers. I wasn't able to read files or open network connections, but both App Engine and Blogger were vulnerable to DoS. This is how I got my first bounty from Google, by the way. It was a US$ 500 bounty. After reporting the bug to Google, I ran some more tests and eventually noticed that the bug I had in my hands was affecting a lot of implementations. I won't enumerate the libraries here, but let me just say that this single bug affected, in one way or another, libraries implemented in Java, C#, PHP, Ruby, Python, Perl, and then more... The only reason I'm not publishing the PoC here is that there are a lot of servers who are still vulnerable out there. Of course, the people who know about security will just read OpenID and XXE and then write an exploit in about 5 minutes, but I digress. So after contacting (or trying to contact) every OpenID library author out there, I decided to write to the member-only security list hosted at the OpenID foundation an email titled "One bug to rule them all: many implementations of OpenID are vulnerable to XXE" to share my findings. I figured most library authors would be members of that list and so patches would be released for everyone very soon. I was right, but only partially. The persistent readers who are still with me by now are thinking: what does a Facebook Remote Code Execution bug has to do with all this? Well, I knew Facebook allowed OpenID login in the past. However, when I first found the OpenID bug in 2012 I couldn't find any endpoint that would allow me to enter an arbitrary OpenID URL. From a Google search I knew that in the past you could do something like https://www.facebook.com/openid/consumer_helper.php?openid.mode=checkid_setup&user_claimed_id=YOUR_CLAIMED_ID_HERE&context=link&request_id=0&no_extensions=false&third_party_login=false, but now the consumer_helper.php endpoint is gone. So for more than a year I thought Facebook was not vulnerable at all, until one day I was testing Facebook's Forgot your password? functionality and saw a request to https://www.facebook.com/openid/receiver.php. That's when I began to suspect that Facebook was indeed vulnerable to that same XXE I had found out more than a year ago. I had to work a lot to confirm this suspicion, though. Long story short, when you forget your password, one of the ways you can prove to Facebook that you own an @gmail.com account is to log into your Gmail and authorize Facebook to get your basic information (such as email and name). The way this works is you're actually logging into Facebook using your Gmail account, and this login happens over OpenID. So far, so good, but this is where I got stuck. I knew that, for my bug to work, the OpenID Relying Party (RP - Facebook) has to make a Yadis discovery request to an OpenID Provider (OP) under the attacker's control. Let's say Ubercomp. Then my malicious OP will send a response with the rogue XML that will then be parsed by the RP, and the XXE attack will work. Since the initial OpenID request (a redirect from Facebook to Google) happens without my intervention, there was no place for me to actually enter an URL under my control that was my OpenID identifier and have Facebook send a Yadis Discover request to that URL. So I thought the bug would not be triggered at all, unless I could somehow get Google to send Facebook a malicious XML, which was very unlikely. Fortunately, I was wrong. After a more careful reading of the OpenID 2.0 Specification, I found this nice gem in session 11.2 - Verifying Discovered Information: I checked and, indeed, the openid.identity in the request was Final: OpenID Authentication 2.0 - Final. This is a very common practice, actually. So indeed after a few minutes I was able to make a request to https://www.facebook.com/openid/receiver.php that caused Facebook to perform a Yadis discovery on a URL under my control, and the response to that request would contain malicious XML. I knew I had a XXE because when I told Facebook's server to open /dev/random, the response would never come and eventually a request killer would kick in after a few minutes. But I still couldn't read any file contents. I tried everything on the XXE back of tricks (including weird combinations involving parameter entities, but nothing. I then realized I had a subtle bug on my exploit that, fixed that, and then... That's right, the response contained Facebook's /etc/passwd. Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn't go through any kind of proxy was surely something Facebook wanted to avoid at any cost. But I wanted more. I wanted to escalate this to a full Remote Execution. A lot of bug bounty programs around the web have a rule that I think is very sensible: whenever you find a bug, don't linger on messing around. Report the bug right away and the security team will consider the worst case scenario and pay accordingly. However, I didn't have much experience with the security team at Facebook and didn't know if they would consider my bug as a Remote Code Execution or not. I Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed. I figured that would be ok because most bugs take a long time to be processed, and so I had plenty of time to try to escalate to an RCE while still keeping the nice imaginary white hat I have on my head. So after writing the bug report I decided to go out and have lunch, and the plan was to continue working when I came back. However, I was wrong again. Since this was a very critical bug, when I got back home from lunch, a quick fix was already in place. Less than two hours after the initial report was sent. Needless to say, I was very impressed and disappointed at the same time, but since I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers. So this is how the first high impact bug I ever found was the entry point for an attack that probably got one of the highest payouts of any web security bug bounty program. Plus, and more importantly, I get to brag I broke into Facebook... Nice, huh? Oh, by the way, the Facebook security team wrote a post to tell their side of the story. Join the discussion on Hacker News. Timeline All timestamps are in GMT. I omitted a few unimportant interactions about the acknowledgements page and such. 2013-11-19 3:51 pm: Initial report 2013-11-19 5:37 pm: Bug acknowledged by security team member Godot 2013-11-19 5:46 pm: I replied by sending a PoC to read arbitrary files 2013-11-19 7:31 pm: Security team member Emrakul informed me that a short term fix was already in place and would be live in approximately 30 minutes 2013-11-19 8:27 pm: I replied confirming that the bug was patched. 2013-11-21 8:03 pm: Payout set. The security team informed me it was their biggest bounty payout to date. 2013-11-22 2:13 am: I sent an email asking whether the security team had already considered the bug as RCE or just as a file disclosure. 2013-11-23 1:17 am: Security team replied that they did not considered the attack could be escalated to RCE. 2013-11-23 7:54 pm: I sent an email explaining exactly how the attack could be escalated to an RCE (with file paths, example requests and all). 2013-11-24 9:23 pm: Facebook replied that my attack worked and they'd have to work around it. 2013-12-03 4:45 am: Facebook informed me that the longer term fix was in place and that they'd soon have a meeting to discuss a new bounty amount 2013-12-03 7:14 pm: I thanked them and said I'd cross my fingers 2013-12-13 1:04 pm: I found a Bloomberg article quoting Ryan McGeehan, who managed Facebook's incident response unit, saying that "If there's a million dollar bug, we will pay it out" and asked if there was any news. 2013-12-30 4:45 am: Facebook informed me that, since the bug was now considered to be RCE, the payout would be higher. I won't disclose the amount, but if you have any comments about how much you think this should be worth, please share them. Unfortunately, I didn't get even close to the one-million dollar payout cited above. In case you're wondering, I quoted Mr. McGeehan mostly as a joke. http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

Log in your FB account then visit the option create new page or Click here Now Choose any Specific catagory which you want Now Simple copy the below given character (Daca aveti deja o pagina creata editati numele cu codul urmator, dati "Save Changes" dupa "Edit" stergeti toate caracterele, si save din nou fara nume.) ??????? After copy above character paste them in the place of Page name Now check the box of terms and condition and click on Create Button. Your new page will be create whose name looks like as shown below Now go to Edit Page >> Then Update Page Info Click on Edit button of Page name Then remove all the character present in box of page name. After removing all press Enter button. Refresh your page again and page name will be disappear and you have done. If You want to Invisible Page name as proof the Click Here Make sure that all the characters of page name are removed successfully. If you are not sure then check them on both Mozilla and chrome because sometimes Mozilla show no character but chrome show's. So make sure that page name will get disappear. Source