How to post to other people’s Facebook accounts

As I poke through facebook, every once in a while I stumble upon some rather fun security holes.  This one is probably one of my favorites. It is simple to exploit and the victim has no way of stopping it.

For this to be most effective, it requires you to have initial access to a target’s account but it is not necessary.  This can be done by:

1. using firesheep on a public wifi network

2. when a person has left a machine logged in or  has stepped away for a few seconds.

3. tricking them into sending you a screenshot of the page below.

4. looking over someone’s shoulder

With the user logged in, go to

http://www.facebook.com/mobile/

On the lower left, there is the” upload via email”  option with an email address. Anyone who has this email address can post videos and images to a victim’s FB wall.  Once the email address has been acquired by the attacker, the victim cannot change it.  When something is posted on the wall using this email address, nothing will indicate who posted it or how. Facebook has no security to only allow certain senders to use this address.

The email address appears to be in the form

<dictonaryword><number><dictionaryword>@m.facebook.com

in order for the email to work

1. it must have a subject

2. it must have an image/video attached

Since it uses two dictionary words and a number, a determined  spammer can also just brute force into random accounts by sending out millions of emails. 

When an attack is successful, a confirmation email comes with the subject  “Facebook Photos”  confirming that that email account is valid and the photo has been posted. 

This is how a compromised post appears on the wall.  The only hint as to where it came from is Mobile Uploads album.