We’ve all done it. We’ve all accidentally use Social Networking websites to spy on other people and/or collecting photos of real cute girls! You start surfing on the Internet with the best intentions, but somehow you end up in one of those want-to-know-even-I’m-dying curious state and wake up done collecting information and photos like a digital stalker. Doing all this kind of things is almost a rite of passage for computer-freak male. There’s no shame in that.

This is being said, very few of us have done stalking and stealing information about cute girls for the sake of nothing. There must be something behind it: you want to keep an eye on your girlfriend or wife (that means you’re one of a hell possessive guy), wanted to do information gathering on your new date (that means you’re immature) or even just love to collect pretty girl’s photos for your own needs (that means you’re either a freak, stalker, or an Anti-social). I will be honest. I maybe a member of those clubs, but it’s up for debate. Let me explain:

It was started a few days ago, when Whindy Yoevestian (as my book’s editor) told me that FaceBook is indeed one of the most selling book topics in Indonesia through the phone while my girlfriend was busy playing with her BlackBerry opening FaceBook and do gossips there! LoL! I feel lost – it was really like, I’m in the middle of nowhere and I don’t know a thing about FaceBook which everybody always talked about! So, I decided to get my move!

Register myself for FaceBook, add several people, do a little surfing inside – looking for any good applications and games to play with, I found the fact that I may use this FaceBook to see my ex-girlfriend’s photos! I wonder how is she looks like now (really, just wondering). I searched for her name by using the search box located on the top-right side of the FaceBook home index page and I found her – it was no more than 3 seconds.

Damn! I cannot have my eyes on her photos, it’s because FaceBook is not allowing me to see any of her profile information and/or photos when I’m not within her friend list. Now, I’m getting bored! Accidentally, I’ve got a friend of mine whose telling me to give her comments on her brand new Album in FaceBook! She gave me the URL to her Album – and the URL look just like this:

http://www.facebook.com/album.php?aid=161512&id=987654321

Hey wait a moment, isn’t that means I can do something since people can easily see other user’s ID when they can search them through the search column? I tried to get my ex-girlfriend’s profile again by search and find out that when you clicked the “View Friends” link, FaceBook will appoint me to this URL:

http://www.facebook.com/friends/?id=123456789

Then I noticed that the id= variable might be the key to someone’s individual profile numbers. I tried to put my friend’s ID (which actually was 987654321) to the “View Friends” URL format and press my enter button! Bingo! I saw my friend’s friends now! That means this id= variable is the ID for every user’s profile number. But wait! What is aid= variable used for? Again, I surfed for quite some times and I found that aid= variable is something like 5 or 6 random numbers.

Hmm, looks tough, I think of only a bruteforce attack! I won’t bruteforce their passwords or anything (since I do not even know the emails they are using to logged in), but I will bruteforce the URL instead! Yup! Imagine that your victim id= variable is 981676553 but you know nothing about his/her aid= variable, isn’t it always easy to use a software which can try URLs from http://www.facebook.com/album.php?aid=00000&id=981676553 to http://www.facebook.com/album.php?aid=999999&id=981676553 and determine which one is a valid link and which are not? Hehehe! In this case, I pick WebSlayer as my most favorite tools to do the job!

Just download it here!

Now as I opened my WebSlayer application I’m being faced to the Attack Setup tab page where I need to fill information about my targeted website – I put http://www.facebook.com/FUZZ as the victimized URL (the word FUZZ is kind of a command for the application that says those part are the one to be bruteforced):

What did I do next is to set my pattern of Fuzzing (guessing) from the Payload Generator – I really love to use the Range one, although file and permutation type are also good! I put the range, the pattern and generate it! When you done all those things, you should be able to see the exactly same looks as this picture:

Then go back to the Attack Setup tab, select Payload as your Payload type, import the Fuzz from Generator and click on the “Start Attack” button! What will you see next is this kind of a picture:

Look at the bruteforced URLs up there! The one highlighted with light-brown colors are the valid links! Try opening those URLs and you’ll be able to see my friend’s albums (2 of them) but when you try the non-Highlighted URLs – you’ll found that those contents are not available at the moment (FaceBook will say that). Hehehe!

I use it on my ex-girlfriend’s profile while doing more research on it (plus reading from other people’s information too), I found out that there were tons of easier ways to do it, better accuracy and faster results! So I tried to make myself through those ways and viola, I was able to view all my ex-girlfriend’s photos within no more than 3 minutes of waiting! Hehehe!

NB: I won’t tell you guys how to do the faster and easier way, but I will tell you, it’s not that hard and it’s real! If you want to know more about this kind of stuffs, please do it yourself before asking! I know you guys can do it! And if you’re about to ask me how to steal people’s account, believe me, phishing attack is still the best; especially when they’re being mixed with several XSS which are still left unfixed around FaceBook applications and PHP scripts.

Special thanks goes to Zealtous whose without his Windows operation system this article won’t be exist!

Th0R – http://www.th0r.info