Indexof Facebook Google Hack

Indexof Facebook Google Hack

 Note in going back through a ton of Google hacks for an upcoming book, here is a blast from the past that still works, and works well. Some changes though:

Indexof /facebook parent dir config.php

Use this other than the one below to get the config file (if it is readable by you), if not there are other cool things to look at.

Another fun Google hack that much like the twitter hack exposes the file system, but can also expose the API key that a program is using to access Facebook applications. This one is one of those double trouble issues, one that exposes the file structure, and other that exposes the API key that a program is using to access Facebook.

The Facebook API key is important, the API key secret is even more important; the API secret is the code set that is passed along with the API. In the Footprints directory, you want the config.php file because the API and Secret are the two important parts of the file, and they are hardcoded into the file. Going into the footprints directory automatically fires off the code on the server unless you grab the config.php file directly.

The API key is embedded in the URL with the calling web site as shown below. The secret key is not passed in the initial call.

The google hack is also fairly trivial

Indexof /facebook

This opens the door to the facebook-platform application where developers can work on their facebook apps.

The code call in the config.php file is:

// Get these from http://developers.facebook.com

$api_key = ‘YOUR_API_KEY’;

$secret  = ‘YOUR_SECRET’;

/* While you’re there, you’ll also want to set up your callback url to the url

* of the directory that contains Footprints’ index.php, and you can set the

* framed page URL to whatever you want.  You should also swap the references

* in the code from http://apps.facebook.com/footprints/ to your framed page URL. */

You can see this in action on the facebook developer’s page. The hard part is getting around the automatic execution of the PHP files, by directly latching onto the files themselves. Another way of getting around this is to use firebug on the call to deconstruct the URL passing method.

This hack was discovered, Josh F (although it might have been discovered by someone else, this is the first time I have seen this).

Tags: facebook, google, hack, hacking, hacker, facebook platform, developer, config.php, api, key

Related articles

• Famous Google App Hacks and How to Protect Yourself
• Google’s Gmail Hacked This Weekend? Tips To Beef Up Your Security
• Hacking Google Voice API in Linux
• 5 Quick Google Analytics Hacks

The post Indexof Facebook Google Hack appeared first on Techwag.