This flaw in Facebook allows anyone to manipulate the life event of any user - Hackatrick - Technology With Security

19 November 2015

This flaw in Facebook allows anyone to manipulate the life event of any user

A minor yet interesting bug has been discovered by a security researcher which can be used to  manipulate the life event of any user who has his work status posted on Facebook. Although the bug, uncovered by the independent hacker Sachin Thakuri, is not a technical flaw but it can use to fool people into believing some fake news.

In the proof of concept he manipulated the life event of Mark Zuckerberg.

Here’s the original URL of Mark Zuckerberg’s original life event which says "Started Working at Facebook". and here is the  Manipulated URL which says "Left Job at Facebook"

 So how was he able to do this?

All Thakuri did is took the original URL of Mark Zuckerberg life event: hash=971179541251&pagefilter=3&ustart=1&__mref=message_bubble
..and remove the ustart=1 parameter, which left him with 971179541251&pagefilter=3&&__mref=message_bubble

As the flaw is not yet fixed, I tried to replicate the same in one of my friend's life event.

Here is the original life event post made my friend.

Original life event

And here is the fake life event made by me by manipulating the URL

Manipulated life event

 Thakuri reported this bug to the Facebook security team, but the bug has not been fixed as of yet. Even though this is not a serious or privacy flaw but the gravity of the issue is that on a client side the post appears to come from a valid user and there is no way to figure out that the post has been manipulated and has not been posted by a user.

This can be dangerous as it could be used maliciously by some people in order to fool victims into believing that someone has quit his or her job.