Facebook, a website with an estimated of 5 to 10 Million in US Dollars, a number of 250-1000 employees, a website ranked number 8 GLOBALLY by alexa.com’s traffic standards, is not capable of securing their data base. Millions (LOTS OF MILLIONS) of accounts, email addresses and passwords up for grabs by anyone. Let me show you a few concrete examples of vulnerable parameters.

Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with wich we can do virtualy anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.

But let’s see what else is interesting in the data base. Because I was accused for making personal info public, I didn’t concatenate the username, email, and password syntax, but only the userid and session key column along with the date the key was created. If you don’t know what a session key is to facebook read http://wiki.developers.facebook.com/index.php/Authorizing_Applications.


Let’s move on to another SQL injection vulnerable parameter. This time it’s blind sqli. Interesting in the image is that, firstly, the error wich reveals proof that server data can be accessed from this point.


Let’s see another vulnerable parameter. In the image you see the version of the data base software, and the name of the number 55 table in the database wich is : users. How could the columns of this table be named other than email and password ? You guessed it, they are named like that. To be continued.

Credits URL : http://hackersblog.org/2009/02/04/facebook-hacked-o-baza-de-date-cu-milioane-de-conturi-ce-pot-fi-accesate-de-oricine/