We’ve all done it. We’ve all accidentally use Social Networking websites
to spy on other people and/or collecting photos of real cute girls! You
start surfing on the Internet with the best intentions, but somehow you
end up in one of those want-to-know-even-I’m-dying curious state and
wake up done collecting information and photos like a digital stalker. Doing all this kind of things is almost a rite of passage for computer-freak male. There’s no shame in that.
This is being said, very few of us have done stalking and stealing
information about cute girls for the sake of nothing. There must be
something behind it: you want to keep an eye on your girlfriend or wife
(that means you’re one of a hell possessive guy), wanted to do
information gathering on your new date (that means you’re immature) or
even just love to collect pretty girl’s photos for your own needs (that
means you’re either a freak, stalker, or an Anti-social). I will be
honest. I maybe a member of those clubs, but it’s up for debate. Let me
explain:
It was started a few days ago, when Whindy Yoevestian (as my book’s editor) told me that FaceBook is indeed one of the most selling book topics in Indonesia through the phone while my girlfriend was busy playing with her BlackBerry
opening FaceBook and do gossips there! LoL! I feel lost - it was really
like, I’m in the middle of nowhere and I don’t know a thing about
FaceBook which everybody always talked about! So, I decided to get my
move!
Register myself for FaceBook, add several people, do a little
surfing inside - looking for any good applications and games to play
with, I found the fact that I may use this FaceBook to see my
ex-girlfriend’s photos! I wonder how is she looks like now (really,
just wondering). I searched for her name by using the search box
located on the top-right side of the FaceBook home index page and I
found her - it was no more than 3 seconds.
Damn! I cannot have my eyes on her photos, it’s because FaceBook is
not allowing me to see any of her profile information and/or photos
when I’m not within her friend list. Now, I’m getting bored!
Accidentally, I’ve got a friend of mine whose telling me to give her
comments on her brand new Album in FaceBook! She gave me the URL to her
Album - and the URL look just like this:
https://www.facebook.com/album.php?aid=161512&id=987654321
Hey wait a moment, isn’t that means I can do something since people
can easily see other user’s ID when they can search them through the
search column? I tried to get my ex-girlfriend’s profile again by
search and find out that when you clicked the “View Friends” link, FaceBook will appoint me to this URL:
https://www.facebook.com/friends/?id=123456789
Then I noticed that the id= variable might be the key to someone’s
individual profile numbers. I tried to put my friend’s ID (which
actually was 987654321) to the “View Friends” URL format and
press my enter button! Bingo! I saw my friend’s friends now! That means
this id= variable is the ID for every user’s profile number. But wait!
What is aid= variable used for? Again, I surfed for quite some times
and I found that aid= variable is something like 5 or 6 random numbers.
Hmm, looks tough, I think of only a bruteforce attack! I won’t
bruteforce their passwords or anything (since I do not even know the
emails they are using to logged in), but I will bruteforce the URL
instead! Yup! Imagine that your victim id= variable is 981676553 but
you know nothing about his/her aid= variable, isn’t it always easy to
use a software which can try URLs from https://www.facebook.com/album.php?aid=00000&id=981676553 to https://www.facebook.com/album.php?aid=999999&id=981676553 and determine which one is a valid link and which are not? Hehehe! In this case, I pick WebSlayer as my most favorite tools to do the job!
Just download it here!
Now as I opened my WebSlayer application I’m being faced to the
Attack Setup tab page where I need to fill information about my
targeted website - I put https://www.facebook.com/FUZZ
as the victimized URL (the word FUZZ is kind of a command for the
application that says those part are the one to be bruteforced):
What did I do next is to set my pattern of Fuzzing (guessing) from
the Payload Generator - I really love to use the Range one, although
file and permutation type are also good! I put the range, the pattern
and generate it! When you done all those things, you should be able to
see the exactly same looks as this picture:
Then go back to the Attack Setup tab, select Payload as your Payload type, import the Fuzz from Generator and click on the “Start Attack” button! What will you see next is this kind of a picture:
Look at the bruteforced URLs up there! The one highlighted with
light-brown colors are the valid links! Try opening those URLs and
you’ll be able to see my friend’s albums (2 of them) but when you try
the non-Highlighted URLs - you’ll found that those contents are not
available at the moment (FaceBook will say that). Hehehe!
I use it on my ex-girlfriend’s profile while doing more research on
it (plus reading from other people’s information too), I found out that
there were tons of easier ways to do it, better accuracy and faster
results! So I tried to make myself through those ways and viola, I was
able to view all my ex-girlfriend’s photos within no more than 3
minutes of waiting! Hehehe!
NB: I won’t tell you guys how to do the faster
and easier way, but I will tell you, it’s not that hard and it’s real!
If you want to know more about this kind of stuffs, please do it
yourself before asking! I know you guys can do it! And if you’re about
to ask me how to steal people’s account, believe me, phishing attack is
still the best; especially when they’re being mixed with several XSS
which are still left unfixed around FaceBook applications and PHP
scripts.
Special thanks goes to Zealtous whose without his Windows operation system this article won’t be exist!
to spy on other people and/or collecting photos of real cute girls! You
start surfing on the Internet with the best intentions, but somehow you
end up in one of those want-to-know-even-I’m-dying curious state and
wake up done collecting information and photos like a digital stalker. Doing all this kind of things is almost a rite of passage for computer-freak male. There’s no shame in that.
This is being said, very few of us have done stalking and stealing
information about cute girls for the sake of nothing. There must be
something behind it: you want to keep an eye on your girlfriend or wife
(that means you’re one of a hell possessive guy), wanted to do
information gathering on your new date (that means you’re immature) or
even just love to collect pretty girl’s photos for your own needs (that
means you’re either a freak, stalker, or an Anti-social). I will be
honest. I maybe a member of those clubs, but it’s up for debate. Let me
explain:
It was started a few days ago, when Whindy Yoevestian (as my book’s editor) told me that FaceBook is indeed one of the most selling book topics in Indonesia through the phone while my girlfriend was busy playing with her BlackBerry
opening FaceBook and do gossips there! LoL! I feel lost - it was really
like, I’m in the middle of nowhere and I don’t know a thing about
FaceBook which everybody always talked about! So, I decided to get my
move!
Register myself for FaceBook, add several people, do a little
surfing inside - looking for any good applications and games to play
with, I found the fact that I may use this FaceBook to see my
ex-girlfriend’s photos! I wonder how is she looks like now (really,
just wondering). I searched for her name by using the search box
located on the top-right side of the FaceBook home index page and I
found her - it was no more than 3 seconds.
Damn! I cannot have my eyes on her photos, it’s because FaceBook is
not allowing me to see any of her profile information and/or photos
when I’m not within her friend list. Now, I’m getting bored!
Accidentally, I’ve got a friend of mine whose telling me to give her
comments on her brand new Album in FaceBook! She gave me the URL to her
Album - and the URL look just like this:
https://www.facebook.com/album.php?aid=161512&id=987654321
Hey wait a moment, isn’t that means I can do something since people
can easily see other user’s ID when they can search them through the
search column? I tried to get my ex-girlfriend’s profile again by
search and find out that when you clicked the “View Friends” link, FaceBook will appoint me to this URL:
https://www.facebook.com/friends/?id=123456789
Then I noticed that the id= variable might be the key to someone’s
individual profile numbers. I tried to put my friend’s ID (which
actually was 987654321) to the “View Friends” URL format and
press my enter button! Bingo! I saw my friend’s friends now! That means
this id= variable is the ID for every user’s profile number. But wait!
What is aid= variable used for? Again, I surfed for quite some times
and I found that aid= variable is something like 5 or 6 random numbers.
Hmm, looks tough, I think of only a bruteforce attack! I won’t
bruteforce their passwords or anything (since I do not even know the
emails they are using to logged in), but I will bruteforce the URL
instead! Yup! Imagine that your victim id= variable is 981676553 but
you know nothing about his/her aid= variable, isn’t it always easy to
use a software which can try URLs from https://www.facebook.com/album.php?aid=00000&id=981676553 to https://www.facebook.com/album.php?aid=999999&id=981676553 and determine which one is a valid link and which are not? Hehehe! In this case, I pick WebSlayer as my most favorite tools to do the job!
Just download it here!
Now as I opened my WebSlayer application I’m being faced to the
Attack Setup tab page where I need to fill information about my
targeted website - I put https://www.facebook.com/FUZZ
as the victimized URL (the word FUZZ is kind of a command for the
application that says those part are the one to be bruteforced):
What did I do next is to set my pattern of Fuzzing (guessing) from
the Payload Generator - I really love to use the Range one, although
file and permutation type are also good! I put the range, the pattern
and generate it! When you done all those things, you should be able to
see the exactly same looks as this picture:
Then go back to the Attack Setup tab, select Payload as your Payload type, import the Fuzz from Generator and click on the “Start Attack” button! What will you see next is this kind of a picture:
Look at the bruteforced URLs up there! The one highlighted with
light-brown colors are the valid links! Try opening those URLs and
you’ll be able to see my friend’s albums (2 of them) but when you try
the non-Highlighted URLs - you’ll found that those contents are not
available at the moment (FaceBook will say that). Hehehe!
I use it on my ex-girlfriend’s profile while doing more research on
it (plus reading from other people’s information too), I found out that
there were tons of easier ways to do it, better accuracy and faster
results! So I tried to make myself through those ways and viola, I was
able to view all my ex-girlfriend’s photos within no more than 3
minutes of waiting! Hehehe!
NB: I won’t tell you guys how to do the faster
and easier way, but I will tell you, it’s not that hard and it’s real!
If you want to know more about this kind of stuffs, please do it
yourself before asking! I know you guys can do it! And if you’re about
to ask me how to steal people’s account, believe me, phishing attack is
still the best; especially when they’re being mixed with several XSS
which are still left unfixed around FaceBook applications and PHP
scripts.
Special thanks goes to Zealtous whose without his Windows operation system this article won’t be exist!