Facebook Hacked by the Ghost of Facebook (Roy)

Roy or as he is also known as the Ghost of facebook discovered several security holes on facebook. One of these flaws was a XSS cross-site Scripting flaw. It appears that in an aim to make facebook aware of the risk exposed by one of these security issues ( which was the XSS Cross-site scripting flaw), he exploited this security flaw in by placing a message letting facebook users all over the world know he was “Off to Danao City”.

All the facebook members that received this message could not delete it or block Roy because Roy was not in their list of friends. This security flaw in facebook allowed Roy to contact a large number of facebook members that he did not have access to.

This security flaw should be a wakeup call to facebook because, because Roy may have drawn their attention to this security flaw by his actions, but what if this security flaw had been exploited by a cybercriminal with malicious intent towards the users of face book. Facebook has been lucky here because Roy has proven to them that if they don’t keep on top of their Internet Security is possible for someone to gain access to thousands of facebook users.

According to xssed.com a new XXS flaw was found on Facebook on January 28 2011. They report that this vulnerability leaves users at risk of scripting attacks and logins phishing. So is this the same XXS flaw that allowed Roy access. If this is the same flaw that Roy access then why did it take facebook 13 day to take action, and why did they have to be forced into taking action by Roy. We have found several sites on the internet reporting this XSS vulnerability in Facebook another example is Bkis Global Task Force Blog who reported this flaw on the 28 Jan 2011.

The action that Roy took to draw face books attention to this security hole was not correct, but its so sad to say that in today’s world it is one of the most effective way of getting people to Improve their Internet security. By this comment we are pointing out that a large percentage of website owners do not take the necessary action to ensure that their website are secure, even when vulnerabilities and security alerts are published. These type of people only take action after it becomes public knowledge that their website has been hacked. It’s so hard to say who is right and wrong in these situation because there is no proper laws in place to force website owners to have a basic level of security in place.
I do not condone hackers who exploit website just to force the owners to put correct security in place, but should we prosecute the hacker and not the website owner. We need laws and regulations in place to ensure website owner take correct action to protect their websites and users by having an acceptable level of security in place as well as forcing them to prove that they are taking necessary steps to keep their security up to date.


The fact of the matter is that Roy did not hack Facebook, he simply access facebook through an open door (a security hole). The most shocking part of all the so call big hack that are know about in the media is that most were not hacks, they were simply people access systems through open door (security holes/flaws) and which gave them access to the system. 99% of all hacking can be prevented by simply keeping your system up to date and running regular security issue.

What is a XSS Cross-Site Scripting attack?
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.




4 thoughts on “Facebook Hacked by the Ghost of Facebook (Roy)

  • February 13, 2011 at 7:20 pm

    Thank you, I just trying to inform about the security hole I got, as a Facebook fanatic, I reported the flaw to make a better security.


  • February 13, 2011 at 9:03 pm

    It is so sad to say that this type of action is the only successfully way to force some website owners into fixing know security holes in their applications. Until the day comes when Governments around the world pass laws forcing website owners to take the security of their website and the security of their uses/customer more seriously the internet will never be a safe place.
    From a professional point of view what you did was wrong, but there are millions of facebook users out there who will see you as a hero because your actions have forced facebook to improved the security to protect the private data and accounts of their users.
    Facebook should also be thankful that you are someone who only attempted to drawing their attention to the seriousness of this security hole, because if a hacker with a malicious mindset had exploited this flaw than what would have been the impact to millions of facebook users around the world.

  • February 14, 2011 at 7:57 am

    He just trying to warn facebook about the security issues they got.. tnx Idol Roy ^_^

  • March 4, 2011 at 1:34 am

    thanks !

Leave a Reply

Your email address will not be published. Required fields are marked *