Real Facebook Hacker - Account Without Password

Real Facebook Hacker - Account Without Password
Content List

11 Ways to Hack a Facebook Account Without a Password Developed by Hackers

It's one of the most frequently asked questions on the Internet: "How do I hack Facebook?" The desire to hack into someone's Facebook account exists in many of us, but it is not an easy task, at least for a novice hacker to undertake.

A plethora of websites exist on the Internet where you can find a variety of tools and methods for hacking Facebook, but the majority of them are fake, and the remaining methods necessitate the use of specialized technical knowledge. Please be cautious when using hacking tools, as the vast majority of them will actually hack your Facebook account rather than the target user's.

If someone is able to hack into a Facebook account, it indicates that there is a security vulnerability affecting the social media platform. They can resell it on the black market for millions of dollars if they do so illegally. If they legitimately report the vulnerability through a bug bounty program, they can gain instant celebrity and receive thousands of dollars in compensation.

What do they stand to gain by disseminating the method online, especially for free? What do they get in exchange for developing a free tool or software that is based on it? There is absolutely NOTHING.

As a result, all of the free hacking tools available on the Internet are forgeries. You shouldn't waste your valuable time looking for such hacking tools!

Real Facebook Hacker - Account Without Password


If all Facebook hacking methods necessitate technical expertise, how is it that such a large number of people have their accounts compromised?

It is possible to perform some methods, such as phishing, with relative ease by utilizing the resources available on the Internet. You can find out more about such Facebook hacking methods on the internet.

Also, read about how Facebook rewarded me with $10,000 USD for exploiting a security vulnerability in the Facebook mobile app to hack into private photos.

It is possible that a thief will not always enter your home through your doorway. In the same way, a hacker may not always require your password in order to gain access to your Facebook account. Actually, most of the time, a hacker does not require a password in order to gain access to your Facebook account. It sounds strange, doesn't it? Unless you are a hacker, it would be the case.

Hackers are not magicians, and they do not rely on tricks to complete their tasks. They go about it in a difficult manner. Throughout the day and night, they research for a security vulnerability that affects the Facebook platform. Once a user's account has been compromised, it is not difficult to hack into it.

Our discussion today will center on some Facebook hacking techniques that were discovered through a bug bounty program and could have allowed anyone to hack into any Facebook account WITHOUT a password. Please keep in mind that the Facebook team has patched all of the methods listed here, and they are no longer functional. However, you will gain an understanding of the fundamentals of how hackers could compromise an account without knowing the actual password. To learn more about each method, click on the link provided in each method description.

1. Using a mobile SMS, you can hack into any Facebook account.

This vulnerability could allow a user to hack into a Facebook account in a matter of seconds if they take advantage of it. All you need is a mobile phone with a working number. There was a vulnerability in the confirm mobile number endpoint, which was used by users to verify their mobile number.

The exploit for this vulnerability is extremely simple to implement. We should use the following format to communicate with one another.

Text the word FBOOK to 32665. (for the US)

You should be provided with a shortcode. Afterwards, a request to the Facebook server with the target user ID, shortcode, and a few other parameters might be sufficient to accomplish the task.

Sample Request

Post /ajax/settings/mobile/confirm_phone.php

Host: www.facebook.com

profile_id=<target_user_id>&code=<short_code>&other_boring_parameters

That's all there is to it. Sending this request to the Facebook server, along with any user cookies, has the potential to compromise the target account. Once you receive a response from the Facebook server, your mobile number will be associated with the target user's Facebook account. You can now easily hack into the target account by initiating a password reset request using the mobile number that was provided.

Jack discovered this flaw in 2013 and reported it to the appropriate authorities. The Facebook security team was able to patch the problem relatively quickly, and he was subsequently awarded $20,000 USD as part of their bounty program.

2. Using a Brute Force Attack, you can hack any Facebook account.

This brute force vulnerability, which was discovered by Anand in 2016, allows for complete control of a Facebook account. As part of their bug bounty program, Facebook compensated him with $15,000 in cash.

This vulnerability was discovered on the Facebook reset password endpoint. A user who has forgotten his or her password can use this feature to recover it by entering his or her phone number or email address in the appropriate fields.

A six-digit code will be sent to the user in order to verify that the request was made by the intended recipient of the code. The user can then reset their password by inputting the six-digit verification code that was provided to them.

Because the Facebook server will temporarily disable the account's ability to reset its password, it is not possible to try different combinations of the code more than 10 to 12 times.

Anand discovered that mbasic.facebook.com and beta.facebook.com were unable to perform the brute force validation, allowing an attacker to attempt all possible combinations of the six-digit code.

Sample Request

Post /recover/as/code/

Host: mbasic.facebook.com

n=<6_digit_code>&other_boring_parameters

An attacker can set a new password for any Facebook user by trying all of the possible values for the six-digit parameter (n=123456). This is known as brute forcing. This can be accomplished using any brute force tool that is readily available online.

Facebook addressed this vulnerability by imposing a limit on the number of times a user could attempt to access the reset code endpoint in a given period of time.

Brute Force Attacks are used to hack any Facebook account, which is number three.

This year, Arun discovered the same brute force vulnerability in a different subdomain of Facebook (lookaside.facebook.com) that had earned him a $10,000 reward from Facebook in 2016.

In the beginning, they rejected the bug by claiming that they were unable to reproduce it on their end. After only a few weeks, the vulnerability was acknowledged, and the patch was released as soon as their security team was able to reproduce the problem and certify it as fixed.

In addition, the following is an example request:

Post /recover/as/code/

Host: lookaside.facebook.com

n=<6_digit_code>&other_boring_parameters

The attack scenario is identical to that which we saw in the previous method, with the only difference being the domain name used in the attack.

Fourth, a Cross-Site Request Forgery Attack can be used to hack into any Facebook account.

To complete the hacking attack, the victim must navigate to a website link (in a browser in which the victim should be logged into Facebook) and click on a link that appears on the page.

Those of you who are unfamiliar with cross-site request forgery (CSRF) attacks can learn more about them here.

The flaw existed in the process of claiming Facebook's email address endpoint. The server-side validation of which user is making the request was not performed when a user claimed an email address, allowing an email address to be claimed on any Facebook account.

Before you can create a CSRF attack page, you must first obtain the email claim URL. In order to accomplish this, try to change your email address to one that is already associated with a Facebook account. Then, if the email address is yours, you will be asked to confirm that it is yours.

When you click on the claim button in a popup window, you should be redirected to the URL we specified.

The URL should look something like this:

https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22&code=<code>

You now have access to the URL. The final step is to create a page on which we will embed the URL in an iframe and send it to the victim of the attack.

Once the victim navigates to the URL, his or her email address will be associated with the victim's Facebook account. That's all there is to it. You can now gain access to a victim's Facebook account by using the reset password feature.

Dan Melamed discovered this cross-site request forgery (CSRF) account takeover vulnerability in 2013 and the Facebook security team patched it immediately.

5. Using CSRF, you can hack any Facebook account – 2

This hacking technique is similar to the previous one in that it requires the victim to visit the attacker's website in order for the attack to be successful.

The contact importer endpoint was found to be vulnerable to this vulnerability. When a user grants Facebook permission to access their Microsoft Outlook contact book, a request is sent to the Facebook server, which in turn adds the email address to the user's Facebook account.

This can be accomplished by using the Find contacts feature in the attacker's Facebook account. Then you should be able to locate the following request made to the Facebook server (use intercepting proxy like burp)

https://m.facebook.com/contact-importer/login?auth_token=

The CSRF attack can be carried out using the same GET request as the previous one. To do so, simply embed the URL in an iframe on the attack page and provide the victim with a link to the attack page.

As soon as the victim navigates to the attack page, the victim's account can be compromised.

The bug was discovered by Josip in 2013 and fixed by the Facebook security team.

6th, hacking any actions on one's Facebook account (using CSRF bypass)

This cross-site request forgery vulnerability allows the attacker to completely take over the victim's Facebook account, as well as perform any actions on the victim's Facebook account anonymously, such as liking a page or posting a photo, without having to hack into the account itself.

The ads manager endpoint was prone to this vulnerability. The following is an example of a CSRF request for account takeover:

POST /ads/manage/home/?show_dialog_uri=/settings/email/add/submit/?new_email=<attacker_email>

All that is required of the attacker is the creation of a CSRF page with a form that will automatically submit the post request in an iframe when the victim lands on the page when the attack is launched. The email address of the attacker will be added to the victim's account in an anonymous manner.

The attacker can then gain access to the victim's Facebook account by resetting the victim's password.

This was discovered by Pouya Darabai in 2015, and he was awarded a $15,000 bounty through the Facebook bug bounty program for his discovery.

7. Gain access to any Facebook page without having to be an administrator.

Arun discovered this Facebook page hacking method in 2016, and he was awarded a reward of $16,000 USD for his discovery.

The business manager endpoint, which was used to assign a partner in this instance, was vulnerable. When Arun changed the partner business asset ID parameter to a page ID, he gained access to any page on the network.

Sample Request

POST /business_share/asset_to_agency/

Host: business.facebook.com

parent_business_id=<business_id>&agency_id=<business_id>&asset_id=<target_page_id>

The business ID parameter should be set to the attacker's business ID, and the asset ID parameter should be set to the ID of the target Facebook page, as shown in the example below.

That's all there is to it. The target page should now be under the control of the company. The attacker can remove the existing page admins from their positions in order to completely take over the Facebook page they are targeting.

Hacking into a Facebook user's private photos is number eight on the list.

During the bounty program, I discovered a vulnerability that allowed access to private photos, for which I was awarded a reward of $10,000.

In the first place, what do I mean by "Private photos" is unclear. When I say "private photos," I'm referring to photos that you have stored on your mobile device and have not yet been shared on Facebook.

Syncing mobile photos is a feature that comes pre-installed on the mobile app. It's interesting to note that this feature was enabled by default in some cell phones.

When you use this feature, Facebook uploads your mobile photos to their servers, but they remain private until you manually publish them on Facebook.

Because of a vulnerability in an endpoint that handles these private photos, any third-party app could view or access the user's private photos. In order for this attack to be successful, the third-party app must first have access to the user's public photos, and only then will it be able to access the user's private photos.

This is an example of a request to the Graph API to gain access to the victim's private photos.

GET /me/vaultimages

Host: graph.facebook.com

access_token=<victim_access_token>

That's all there is to it. The URLs to the victim's private photos should be returned as part of the response from the API endpoint.

Facebook fixed the problem by whitelisting the applications that were allowed to access the vaultimages endpoint.

Hacking any Facebook user's photos is number nine on the list.

In 2013, Arul Kumar discovered a way to delete any photo from Facebook, and the company rewarded him with a $12,500 reward for his efforts.

If someone wants to have a photo removed from Facebook, there is a feature that allows them to report the photo to the owner. Once a photo has been reported, the owner of the photo will receive a notification with a link to delete the photo.

Arul discovered that the photo reporting feature in the support dashboard wasn't validating the owner IDs properly, which allowed him to replace the owner ID parameter with his own Facebook account ID in order to obtain the photo deletion link directly from the dashboard.

The attacker can then delete the photo with the help of the link he or she obtained from the exploit. The most terrifying aspect of this attack is that the victim will be completely unaware that the photo has been deleted. This vulnerability has been completely remedied at this time.

10. Access any Facebook user's photo/video albums without their knowledge.

I discovered a vulnerability on Facebook in 2015, which allowed me to remove any albums I had created on the social media platform. Albums containing thousands of photos and videos can be deleted in an instant, without the owner's knowledge or permission.

An application programming interface (API) is the primary means of communication between the server and native or third-party applications. Because the Albums node of the Graph API endpoint was vulnerable to insecure object reference, I was able to issue any user's album ID in order to complete the deletion process.

A sample request to remove any Facebook photo album from your profile.

POST /<album_id>

Host: www.facebook.com

access_token=<top_level_facebook_access_token>&method=delete

This may result in the deletion of the album specified by the ID parameter. In order for the attack to be successful, the attacker must be granted access to view the album. Facebook fixed this issue by restricting access to the endpoint to only those with appropriate privileges, and they also compensated me with $12,500 USD for reporting the vulnerability.

11. Take down any Facebook videos you want.

Pranav discovered a flaw in Facebook's code that allowed him to delete any videos he wanted without asking for permission.

Any post on Facebook can have a video embedded in the comments section. Pranav discovered that it is possible to attach existing videos to a comment, and that deleting the comment may allow us to delete the source video without difficulty.

Consequently, the attacker should attempt to edit an existing comment on a post that contains the ID of someone's Facebook video using the following graph API call.

POST /<post_id>/comments?attachment_id=<target_video_id>

Host: graph.facebook.com

The link to the target video should be included in the comment. After that, the attacker must delete the comment in order to remove the source video. If a comment is deleted, the video should be deleted within a few seconds after the comment is deleted.

SPY24 allows you to monitor and record Facebook messages. Spy App for Facebook Messenger that is simple to use

With SPY24, you can gain access to their private Facebook chats, media files, and other personal information.

SPY24 even displays the names of the people with whom they have been chatting on Facebook:

See all of their Facebook conversations in one place.

Take a look at all of the photos and videos they send and receive.

Examine the Facebook profiles of the people with whom they have been chatting.

The Most Effective Method of Secretly Reading Someone's Facebook Messages

When it comes to reading someone's private Facebook messages, SPY24 is unrivaled in the industry. The process works without the need for you to root or jailbreak the target device, which means that you can read their Facebook messages without them knowing about it.

When setting up SPY24 for the first time, it takes no more than about five minutes. After that, you can access their Facebook data at any time using the SPY24 dashboard, which is accessible instantly. The Facebook Monitor can be found on the dashboard page under the 'Social Media Apps' tab, which is accessible from the left-hand navigation bar.

You will have access to as much of their private Facebook data as they will have access to themselves. This includes their messages, pictures, videos, and even the people with whom they are interacting on social media. Just like you were signed into their Facebook account, it appears as if you were.

All of the messages contain timestamps, which provide you with additional information. SPY24 even displays the Facebook messages and chats that have been deleted by the target.

Red Flags should be looked for. Using the Facebook Monitor from SPY24

The Facebook monitor from SPY24 has the ability to reveal the deepest, darkest secrets about people. As a result, you can use SPY24 to safeguard your loved ones as well as your relationship with them.

It is not necessary to root or jailbreak your device.

There isn't another Facebook monitor that performs as well as this one. It is necessary to root or jailbreak the target device in order for any of the few working Facebook spy apps to function properly. SPY24, on the other hand, can provide you with all of their data without requiring you to root or jailbreak the target device.

Monitor Facebook in a safe and secure manner

When it comes to data security, users are increasingly concerned, as their personal information may be stolen if an app's security is inadequate. As a result, SPY24 employs the most advanced encryption technologies available. It is actually true that SPY24 does not store any of your personal information on its servers at all. It is only visible to you because it is on your computer. Even the members of the SPY24 team are unable to access this information.

Employees' Facebook activity is being monitored.

Employees' private Facebook messages will reveal what they are saying about your company in general and about your company specifically. You can also find out if they are being scouted by your competitors or if they are involved in any illegal activities by using this information.

Additionally, insider information trading has emerged as a major source of concern for business leaders. It is possible for them to ensure that they are well protected from this threat by utilizing SPY24.

Keeping track of your children's Facebook activity

The importance of using a Facebook monitoring service for parents cannot be overstated. Nowadays, every kid, regardless of their age, has a Facebook account. As a result, parents can use Facebook monitor to ensure that their children are not exposed to any negative influences.

Everyone is aware that Facebook has a large number of online predators operating on the site. There are cyber criminals out there who are looking forward to taking advantage of innocent and vulnerable people, particularly children. Consequently, your child will be protected from them through the use of Facebook monitoring software.

Because of the high level of service that SPY24 provides, millions of users around the world put their trust in the company to protect what is important to them. Become a member of the community today before it's too late!