Of course, you will need some basic information from your target for you to continue. Here, we are going to expose the best methods to hack a Facebook account easily without surveys.
That means prying for the password and username/email address.
If you are going to crack into someone’s FB account without their knowledge, then you need some details. With such goals, the next question is, how do you hack Facebook account without survey? You need some spying techniques to monitor activities on Facebookįor the last point, if that’s your reason, then your hacking needs to be for legal purposes.You are a spouse concerned about your partner cheating on FB.You are an employer who wants to make sure that no confidential information leaks to the internet.You are a parent concerned about your kids’ FB activities.I could've created a distributed system for my VMs but time is money. Then I let all my scripts do their thang!
I set up 8 VMs (12 cores/20 GB RAM each) over 4 different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization.
Point 4: Got a free trial of Google Compute Engine and hosted my scripts on a virtual machine. I also scraped all User Agent strings for a Chrome browser from to assign to my PhantomJS instance. So we will use PhantomJS (Headless browser) and write a multithreaded script in Java that requests a passcode to every user from our JSON file. Point 3: You need to simulate user behavior when requesting a passcode. In my case, all network traffic went through a proxy server that listened for HTTP requests and arbitrarily assigned an IP address to each request. There are several services online that offer this feature. This means that every email request will be sent from a batch of thousands of IP addresses to simulate a normal global network flow.
Point 2: In order to avoid getting your IP blocked from repeatedly sending requests to send password reset emails, you need rotating IPs. Note: Some of the profile picture urls in the JSON are invalid. So I compiled all this data into a nice JSON, which I guess doesn't hurt to publish since it's all public anyway. Yes it does.Īll you have to do after making sure the ID is valid is visit the following link: HERE] and the url automatically redirects and changes the ID to the user's username. But wait! Facebook Graph API only lets authorized apps to fetch a user's username, doesn't it? Yes it does. I was also able to get profile picture and full name on the user's account with ease since it seems there is no rate-limiting on public data (I just did it for fun). Point 1: Facebook IDs are generally 15 digits long, so I started with 100,000,000,000,000 and started making queries to Facebook Graph API to check which IDs were valid. To send emails, you first need to get access to 2 million Facebook usernames. How do you send 2 million password reset emails quickly without getting blocked? The bug isn't difficult to understand but it's execution is tough due to its large scale.
So now that we have picked a random passcode, we will brute force it against our 2 million batch to check whose ID is associated with our random passcode! Again, this isn't the golden rule of thumb but from my testing it will help us later. Then all I have to do is pick a random passcode following this rule: Integers less than 100,000 have a lower probability of occurring than integers between ranges of 300,000 and 699,999 or 800,000 and 999,999, which have higher probability of occurring.
This is a simple application of the Pigeonhole Principle. Hence, I decided to send double the number of emails (2 million of them), hoping that some people from my 2 million will get duplicate passcodes. Since I don't know much about the divine, I put my money on option 1.
There are 2 options here: 1) Facebook either stores duplicate codes for multiple users if more than 1 million people request a password reset code, or 2) Every user gets a unique code and Facebook uses some divine way to handle the case where 1 million+ users request a code. That code does not change if you request it from until that code gets "used." That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned. Some algorithm which Facebook uses (that is yet to be cracked) generates seemingly a random 6 digit code whenever a person requests a password reset. Well that's 10⁶ = 1,000,000 possible combinations. The only way you can reset your password on Facebook (if you've forgotten one) is through entering a 6 digit passcode.