SYSTEM&WEB HACKING: FBPwn : A Cross-Platform Facebook Profile Dumper tool

Monday, September 12, 2011

FBPwn : A Cross-Platform Facebook Profile Dumper tool

FBPwn is an open source, cross-platform, Java based Facebook profile dumper. It can send friend requests to a list of Facebook profiles, and poll for their acceptance notification. Once the victim accepts the invitation, it dumps all their information, photos and friend list to a local folder. It supports a lot of modules that can expand its current functionalities. It has a well documented Wiki page explaining the process of building a FBPwn module. Though it has a lot of available modules prebuilt for your use.

All modules work on a selected profile URL (we’ll call him Bob), using a valid authenticated account (we’ll call him Mallory).


AddVictimFriends: Request to add some or all friends of Bob to increase the chance of Bob accepting any future requests, after he finds that you have common friends.

ProfileCloner: A list of all Bob’s friends is displayed, you choose one of them (we’ll call him Andy). FBPwn will change Mallory’s display picture, and basic info to match Andy’s. This will generate more chance that Bob accepts requests from Mallory as he thinks he is accepting from Andy. Eventually Bob will realize this is not Andy’s account, but probably it would be too late as all his info are already saved for offline checking by Mallory.

CheckFriendRequest: Check if mallory is already friend of Bob, then just end execution. If not, the module tries to add bob as as a friend and poll waiting for him to accept. The module will not stop executing until the friend request is accepted.

DumpFriends: Accessable friends of Bob is saved for offline viewing. The output of the module depends on other modues, if mallory is not a friend of Bob yet, the data might not be accessable and nothing will be dumped.

DumpImages: Accessable images (tagged and albums) are saved for offline viewing. Same limitations of dump friends applies.

DumpInfo: Accessable basic info are saved for offline viewing. Same limitations of dump friends applies.

So you can see, you can do almost everything that you could do manually with Facebook. People might use it for malicious purposes too like cloning a Facebook profile. In addition to reading the Facebook official security guide, you need to avoid friend requests from un-known people.

No comments: