1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[CRACKED] Facebook's phstamp

Discussion in 'FaceBook' started by StellaArtois, Feb 25, 2012.

  1. StellaArtois

    StellaArtois BANNED BANNED

    Joined:
    Jun 13, 2011
    Messages:
    104
    Likes Received:
    354
    Anyone who has a toolbar and noticed it's stopped working, or anyone wanting to write a bot, or software, that makes requests to Facebook will find this interesting.

    Recently Facebook added a new parameter to their query strings when making post requests. Such as inviting to events, sharing content etc. At the end of the URL you will notice: &phstamp=00000000000

    Some would be fooled into thinking phstamp is some sort of timestamp. It's not. It's a hash that's generated per request to verify the request. I managed to crack it ...

    Code:
    function generatePhstamp(qs, dtsg) {
        var input_len = qs.length;
        numeric_csrf_value='';
    
        for(var ii=0;ii<dtsg.length;ii++) {
            numeric_csrf_value+=dtsg.charCodeAt(ii);
        }
        return '1' + numeric_csrf_value + input_len;
    }
    
    
    Usage:
    - qs = Query string. (Monitor headers with LiveHTTPHeaders to get the query string of a post request on Facebook). Example:

    (exclude '&phstamp=165816710081728698224' when passing in the query string).

    - dtsg = This if the fb_dtsg value.

    And that's how you generate a phstamp hash :D

    Hint ... this relates to the recent spurt of events popping up with millions of invites. Do you're own research on that, I won't be leaking that at this point (don't PM me for the exploit either please).
     
    • Thanks Thanks x 8
    Last edited: Feb 25, 2012
  2. auuuu

    auuuu Elite Member

    Joined:
    Jul 10, 2010
    Messages:
    1,534
    Likes Received:
    349
    Occupation:
    Social Influencer
    Location:
    England
    I don't what how i can deal with it, but anyway a big thank you :)

    If anyone one know how to exploit it, shot me a PM asap i work with traffic outside US/UK :)

    PS: StellaArtois, i've sent you a PM some days ago but without a reply back :) if you can give me just one minute of your time i'll be very happy :)
     
  3. MS359

    MS359 BANNED BANNED

    Joined:
    Feb 25, 2012
    Messages:
    24
    Likes Received:
    4
    thanks for this it's pretty helpful
     
  4. paxpelus

    paxpelus Junior Member

    Joined:
    Feb 7, 2011
    Messages:
    159
    Likes Received:
    50
    Thanks man, I was looking for this... You saved me!
     
  5. StellaArtois

    StellaArtois BANNED BANNED

    Joined:
    Jun 13, 2011
    Messages:
    104
    Likes Received:
    354
    No worries. If anyone needs any help using it feel free to ask questions.
     
  6. phph5

    phph5 Regular Member

    Joined:
    Aug 7, 2010
    Messages:
    225
    Likes Received:
    42
    phstamp parameter is added to requests for adding/removing admins from pages, but I found it was basically ignored and requests worked fine with random numbers. Also, I noticed it increases a bit with every new request, so it does look like a timestamp anyway.

    What kind of requests fail if phstamp is not set correctly?
     
  7. phatzilla

    phatzilla Supreme Member

    Joined:
    Apr 9, 2009
    Messages:
    1,366
    Likes Received:
    1,017
    Im pretty sure phstamp is for their own logging, and not in any way required for proper authentication. Although it wouldnt hurt to post the correct data.
     
  8. StellaArtois

    StellaArtois BANNED BANNED

    Joined:
    Jun 13, 2011
    Messages:
    104
    Likes Received:
    354
    I had issues with a few things that wouldn't work without the correct phstamp. But, as others have said in some cases it can work without it, or with a random number.

    To the poster above phatzilla, it's defiantly not a timestamp :p You can see what the function does.
     
  9. Humble

    Humble Registered Member

    Joined:
    Jul 17, 2010
    Messages:
    81
    Likes Received:
    51
    Occupation:
    Human
    Location:
    North American
    Thanks a lot this was useful. Not sure if I need this for the action I'm trying to recreate but just incase I'm going to add it. Great threads, keep it up StellaArtois :)
     
  10. joethetree

    joethetree Newbie

    Joined:
    Mar 3, 2012
    Messages:
    1
    Likes Received:
    0
    thanks! this helped me a lot!

    for the record: removing applications from an account works with a random phstamp...

    where is this phstamp generated? i have been looking through the java scripts and could always find every post param (e.g in __e("AsyncRequest")). however, i did not find the phstamp, where is it generated and added to the request?
     
  11. dragondf

    dragondf Regular Member

    Joined:
    May 15, 2010
    Messages:
    280
    Likes Received:
    34
    Occupation:
    Teacher, Manager of a WebStore company
    Location:
    Brazil
    Home Page:
    My doubt is:

    is this that people have used to steal Fan Pages ?

    I received a warning from a person who ADD me in Facebook.


     
  12. sidcat

    sidcat Newbie

    Joined:
    May 27, 2012
    Messages:
    1
    Likes Received:
    0
    Hi, I'm working on some Facebook reverse engineering. Do you have any info about the __e("AsyncRequest") or similar stuff?

     
  13. nightclubpromo

    nightclubpromo Regular Member

    Joined:
    Dec 20, 2011
    Messages:
    255
    Likes Received:
    12
    Is there any way to use this to speed up the fb event invite process?? Right now fb only lets me send 300 at a time
     
  14. crepito

    crepito Junior Member

    Joined:
    Oct 5, 2008
    Messages:
    145
    Likes Received:
    28
    Location:
    Portugal
    Really priceless information. You saved me a lot of headaches
     
  15. tilefono

    tilefono Newbie

    Joined:
    Aug 23, 2012
    Messages:
    19
    Likes Received:
    1
    sorry for the stupid question but what can actually do with this?
     
  16. xuanhung123

    xuanhung123 Newbie

    Joined:
    Nov 17, 2010
    Messages:
    25
    Likes Received:
    2
    Occupation:
    Programmer
    I'm just convert your code to C# : :D

    /// <summary> /// Generate phpstamp on facebook
    /// </summary>
    /// <param name="qs"></param>
    /// <param name="dtsg"></param>
    /// <returns></returns>
    public static string generatePhstamp(string qs, string dtsg) {
    var input_len = qs.Length;
    string numeric_csrf_value = String.Empty;


    for(var ii=0; ii<dtsg.Length; ii++) {
    numeric_csrf_value += Strings.AscW(dtsg[ii]);
    }
    return '1' + numeric_csrf_value + input_len;
    }

    Work like charm for me :D
     
  17. rupam

    rupam Newbie

    Joined:
    Mar 25, 2013
    Messages:
    1
    Likes Received:
    0
    is there anyone who can teach me how to get my phstamp code for my facebook profile...i really need this and its very urgent.:(
    i will be realy thankful if someone can do it for me :(
     
  18. S_Hidd

    S_Hidd Newbie

    Joined:
    Jun 23, 2013
    Messages:
    4
    Likes Received:
    0
    Me too, somebody help me, pls. Thanks