Posts

Showing posts from 2014

[Responsible disclosure] Hacking Facebook.com/thanks Posting on behalf of your friends!

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.Facebook recently introduced "Say Thanks", an experience that lets Facebook user to create personalized video cards for their facebook friends. 
To create a Thanks video, a user needs to visit facebook.com/thanks and have to choose a friend. A user can select a different theme and edit photos and posts that represent their friendship.
Once you are ready you have to click on the "Share" button and your video will be shared on your timeline with the friend tagged. It will show up on your's as well as the friend's timeline.

So, I started digging up as soon as "Say Thanks" was launched.

Below are the few things that I tried :

1) Posting on the behalf of non-Facebook friend.
2) Posting on the behalf of a Facebook friend.

Interestingly, posting on behalf of your Facebook friends worked.
After the successful exploitation a video w…