Facebook wall post exploit
I’m sure everyone by now has read or heard about the wall post exploit where the a man from India posted on Mark Zuckerberg‘s wall without being authorized as his friend. The exploit has been patched up, however below you will see how easy it was executed. Is your information safe?
What this exploit is about
When you make a new status on Facebook, the default value of making a status is set to your profile. By changing a single value, you will be able to make a post on any wall you want.
Step 1
Open Facebook, write a status message but don’t submit it.
Step 2
Open the profile you wish to make a post on, and copy the username, or ID, right after the facebook.com part. Example:
http://www.facebook.com/zuck
Copy zuck and put it after this URL: http://graph.facebook.com/
http://www.facebook.com/zuck -> http://graph.facebook.com/zuck
Step 3
Go back to your Facebook status, and open Google Developer (F12) or Inspect Element (Firefox) and click on the status
Step 4
Scroll up, till you find an input-tag with name set to “xhpc_targetid”. It looks like this:
input type=”hidden” autocomplete=”off” name=”xhpc_targetid” value=”12345″
Step 5
Go back to the graph.facebook.com tab you opened before, and copy the ID.
In that case, the ID would be 4.
Step 6
Go back to your Facebook status, and replace the value=”xxx” (from step 4) to your new ID. Example:
input type=”hidden” autocomplete=”off” name=”xhpc_targetid” value=”12345″
changed to:
input type=”hidden” autocomplete=”off” name=”xhpc_targetid” value=”4″
Once that is done, all you need to do now is press “Post”. Your post will now be posted on the target’s Facebook wall!
