response

by

How I hacked your unverified facebook accounts !

Here’s a little write-up on how I was able to delete any unverified account in facebook. By unverified, I mean those accounts who didnot yet verify their email address linked to facebook.
All (or most) of my bugs have been authentication related to many vendors, this was no different.

Here is how I did it:

There is(was , now) this sign up function, which lets you create new facebook account. The twist is, when you use a facebook account that already has an account in facebook (with its email unverified), the response you get is :

When clicked on the “Insert the confirmation code instead” it lets you enter 5-digit number only code. Pretty simple , eh?

Lets generate a dictionary from 00000 to 99999

#!/usr/bin/env python

def add_zeros(end,tot):
zeros=”
while (len(zeros)<(len(tot)-len(end))):
zeros=zeros+’0′
return zeros+end

verification_code=5
code=”
path=raw_input(” where do you want to store your dictionary file. eg. D:\derp\foo.txt “)
loop_range=verification_code-len(code)
nines=”
for i in range(0,loop_range):
nines=nines+’9′
nine=int(nines)

fob=open(path,’w’)
for i in range(0,nine+1):
j=str(i)
if len(j)<len(nines): j=”add_zeros(j,nines)” number=”code+j+’\n'” fob.write(number) fob.close() print ‘generated and saved!’

11 Comments

    • Rate limited, stopped allowing an email which has an unverified account to be added to a verified account. There has been many changes in how unverified accounts work. Also, now they ask to verify any account within few days after sign up!

  1. I was wondering why did you write a program to make numbers! You have a built in option in burp suite. Its waste of time you are reinventing the wheel.

Comments are closed.