A way to collect facebook hashes

After investigating on a link from a Facebook app, I found that the link is bitly shortened link. So, I expanded it, and I found this.

The referring links from Facebook contains Facebook hashes.
These hashes are one of the way Facebook uses to identify whether a user should following the link or not.

The mechanism, which I try to make sense of, is something like this:

 - Everyone will be assigned a hash for themselves for a day (or a session, I'm not sure.)
 - This hashes will be attached to every links that person sees on Facebook, in their session.
 - The hash is the same for every links. (only in his eyes)
 - If that person copies the link to his friends, that hash will be copied also. In a format like this:[whatever URL]&h=[hash]
 - if his friends try to open the link, Facebook will redirect it to the targeted URL immediately, without warning.
 - but if his friends send the same link to other people (not related to the first person) without changing the hash,  when that person opens the link, Facebook will show popup.

 the weakpoint is, if an attacker sends a link to target, containing a hash from one of target's close friends. Facebook will redirect to a malicious website without any warning.

I am at this point, not yet to think about the practical use of this scenario, but I'm sure there'll be one.


  1. You're a bit too slow on that one.
    I found this quite a while ago and actually found this post you've made simply by searching for my own exploit.
    Read more about it here:

    It's the same basis as yours, except I knew what to do with it and I also found it before you.
    It was reported to facebook, but since they're too stupid to actually investigate properly, I released it because I wanted it patched. The only way left to get their attention was to release it and let the damage scare them into patching it.
    So far my script has been logged to have crafted over 8000 hashes. I also have reports of my hacking buddies using it to infect people in massive groups using it.
    Enjoyed the read.

  2. @KILLM3 Thanks for the share. I actually enjoyed reading it. :D