Wednesday, August 7, 2013

Facebook ,Going Stealth ,Seen no more

Hello Folks ,

Today ,we will be hanging around for a little trick in *hacking* ,actually that might be interesting for most people who need to hide their tracing's along the world wide web chat communities .

Our main purpose will be hiding the "Seen" functionality in the most famous social networking site ,Facebook ,so let's seek some anonymity .

So ,first of all ,let's analyze the "Seen" functionality to see how it works ,and then trying to figure a way out to bypass it .

Analysis Phase :

-When you chat with someone using facebook messaging system ,you are actually sending and receiving a lot of authentication in a TCP form hand shaking(s) ,actually these connections are sent via HTTP POST method requests ,that way ,everything will be sent in data part of the request not in the visible section of the URI .

Using Tamper Data* ,we sniffed some traffic ,until an interesting packet appeared .

As we noticed ,the connection is made to the file (/ajax/mercury/change_read_status.php) ,which ,as the name shows ,is responsible to check if the message is read or not ( by focusing your cursor on the chat box of the conversation ),and if it is ,it triggers the function that's responsible to turn on the "Seen" functionality ,and writes the keyword (Seen) to the other end of the conversation using another mercury file ( /ajax/mercury/mark_seen.php ) ,as showed below .

Notice that the (mark_seen.php) script is only triggered in your side when you send messages ,so it waits a signal from (change_read_status.php) script from the other side(s) of the conversation and marks it as Seen message when it receives the signal ,while if you are the receiver ,by clicking the chat box and focusing your cursor on the conversation bar ,that way you are triggering the (change_read_status.php) script and sending a signal to the other end point ,so it can know that you really read the latest message sent to you .

So ,if we got a way here to just mess around with this authentication traffic ,using a way or another to be able NOT to trigger the call in the (change_read_status.php) script ,that way we might be able to see messages ,without the other part of the conversation to see the (Seen) keyword in their chat ,and thus ,thinking that the message is still pending and not read yet .

Going stealthy :
-Do you know that you can bypass this mechanism ,without installing any third party application for your browser ?
Actually ,that wasn't a joke !
Thinking about it ,it's a lot easier than you might imagine ,you can simply bypass this by only blocking the requests going to the (change_read_status.php) file ,thus ,on the other side(s) of the conversation ,the (mark_seen.php) script will never receive your signal ,and your friend(s) will never know that you really read your message ( unless they are actually sitting next to you !!! ) .

Finally ,of course that's not a full tutorial on " how to hack facebook " or " step by step into social anonymity " ,it's just an article that discusses a feature ( well ,maybe for some people and for some reasons ,it may not be ) ,and how to bypass it with minimal use of applications ( as you may have already noticed ,we bypassed it without using any extension or a third party application ,just a browser ,and a human with a working brain ) .

Many thanks to Marwan Rashad for choosing a perfect title for this article :-) .

References :

*Tamper Data : You can download this tool for mozilla browsers ,from  for free .

1 comment: