Monday, March 7, 2011

Latest Facebook Bug

The most popular social networking website, Facebook, is not 100% secure.

Even if you are aware of the latest defence methods in order to keep you safe online, save you from Phishing or Java- Driveby’s, Your facebook account may not be totally secure.

A new feature introduced in facebook called groups, allows members to interact with each other and post on the groups wall. A member of the group can invite his/her other friends to the group and they automatically get added without a confirmation.

If you don't know which all groups are you a member of, you can check it in the left hand side of your facebook page.

For ex, following are the groups I’m a member of :

A latest bug in facebook, allows the attacker to post status updates from your account, or post anything he wants in any of the groups you have joined.

Let’s suppose that the attacker is one of your friends on facebook, and he has your primary email id through which you login.

Now, all he would have to do, is to send a fake mail

Where "something" is the name of the group in which he wants to post anything on your behalf.

The result would be something like this:

One more variant of this type of attack is, if the attacker get holds of your personalized email id,

He could send mail to that email id ( ) from the email account you use of facebook using a simple trick known as email spoofing. This can be used to post status updates, comments on any update, and even to change your account settings.

The best way to be safe is to hide your contact information from even your friends and never to use your primary email to login to facebook account.

Also, make sure you change your personalized email ( ) every few days in order to be safe.

Be Secure.

Happy Hacking.

Special thanks to Shavik and Sai Satish of AH. :)

Aditya Gupta

Email me :


  1. simply a great post...
    i thought till now my fb a/c is safe ;)

  2. Leave aside email spoofing.

    if you can achieve SMS spoofing you can update status. add / remove friends and join unjoin community / pages.

    procedure would be same as that of email forging.

    SMS number is just one number that is used by facebook across all places and sender's number will be the registered mobile number.

  3. Goooodddddddd one.................
    Will do dis steps for security...............

  4. omg!!!reli a useful piece of info!!superb!thnx...wil try implementin it..

  5. Very helpful article. Kudos, adi! :) Two thumbs up ;-)

  6. g8t job man,,,, highly appriciable work
    happy hacking.
    really u r a geek.