Disabling New Emails From Facebook Without Email Owner Interaction
I was following lokesh kumar’s bug ‘Confirming new email/mobile-number bug in facebook’ https://www.youtube.com/watch?v=4euBQCMxlE8 …. He found this bug in 2016 and i was following in 2017 as i saw it to late. You can see the video he wrote ‘POC’ inside the video.
So i was following the steps and was like ‘wow’ bug has been fixed. Now what’s next???
I thought what if the whole account is disable. As you people know there are a few ways to disable facebook account for reporting fake account or that specific account violates facebook terms and conditions. So i did something fishy here ;d , i copied celebrities photos in my test account and set as a display and cover photos. After that reported from another account that this guy is violates facebook AUP.
After a few hours my account has been disabled from facebook and due to the disability unconfirmed email was also disabled permanently.
Proof of concept
- Create facebook account with the email you want to disable permanently and do not confirm email.
- copy the photos of any celebrity ‘‘verified one’’
- upload on your display and cover photo
- Now change your first name last name and set as it is the one from where you copied the photos. (celebrities first name last name)
- report that account from your another fb id.
- that’s it. In return facebook disable the unconfirmed email aswel.
This is a working bug so do not harm any user. Try to test it to your own email addresses.
According to Facebook policy only email owner can disable his email id permanently and for that facebook send that instructions in a very first email when we create facebook account.
But here attacker can disable any email id permanently from facebook without email owner interaction.
Got a reply from admin ‘Neal’
After all facebook knows their security best.
Report closed as . N/A