Sep. 16, 2008

Posted by in Facebook | 18 comments

Honesty Box Hacked

Update: Please note that the hack described here has been patched for over a year. This post is only an archive. I am not currently aware of any ways to hack the Honesty Box, and any requests to hack the application WILL be ignored.

Ever since I started hacking social networking applications, I’ve wanted to crack the Honesty Box.  One of the first apps on the Facebook Platform, the Honesty Box lets users send anonymous messages to those who install it.  Last year I tried to find a way to uncover a sender’s identiy, but to no avail.  This year is a different story.

Originally, the Honesty Box was a fairly simple application, and consequently it had few opportunities for hacking.  While I could tell that the app did store data on who left a message, I could not find any way to get at the information short of trying SQL injection attack.

But now, the Honesty Box has added a feature called “Reveal-Deals.”  This lets you exchange “HB points,” a rewards system in the app, to find out who left a message.  A user’s identity is only revealed once they agree on the number of points and accept the deal, so messages remain anonymous unless the sender decides to make or take an offer.

At least, that’s how things normally work.  I discovered the newer setup last night, and immediately saw it as a potential opening for a hack.  After an hour or two of work, with friends providing test cases, I finally pulled off one of my dream hacks: I can now uncover the sender of an Honesty Box message without exchanging HB points.

A few notes: The hack is a bit complicated, so I wouldn’t start freaking out about messages you’ve left.  I have not notified the app developers about this hack yet simply because I haven’t written up the details yet.  I do plan on sending them a full report soon.  If you’re a journalist who wants confirmation of the hack, you can e-mail theharmonyguy at Gmail to setup a test case, but please only do so if you’ve been on TechMeme before.  (The TechMeme requirement is a simple way for me to limit requests to legit people.)  Please do not send any requests to reveal someone on your Honesty Box, hack a friend’s Facebook account, etc. – such e-mails will be completely ignored.

The moral of the story?  For developers, be very careful about adding new features, especially ones that make a fundamental change to the structure of the application.  For users, be careful in posting messages online -though personally, I think you should be willing to say to someone’s face what you say in their Honesty Box, and I use it for sending compliments or encouragement.  But that’s just me. :)

Update (Sept. 17): The Honesty Box application appears to be patched now; I haven’t done a full check yet, but one of the holes that the hack took advantage of is gone.  Kudos to the developers for a quick fix.

  1. I really don’t understand why hacking something like Honesty Box can’t be Free Domain. I understand why some people would think it should be private, but those people are just afraid that someone they insulted or slandered will find out their identity and be confronted. I also get that if you don’t like not knowing who sent you a message via HB then you should remove the app and let that be that, but you can argue that opinion all day.
    Personally, I just wanna know who sent me a message implying that they like me and are too scared of rejection. Cuz I just might like them in return. Oh well.

  2. can u plz help me hack the honesty box… ive been humiliated and harrassed by this person and i just wanna find out who it it… can u plz help me

  3. I’m in pretty much total agreement with Joshua. While I’d definitely love to find out who sent me 10 messages consecutively implying that they want to jump my bones, I’d have no problem erasing the application if I had experienced negative feedback. I think it’s pretty noble of you to even think of notifying the developers. I would already be selling the crack to fiending thirteen year olds.

  4. i want to see which person is continuously sending me flirting messages. they are disgusting. i would remove the app, i have no problem with that, but i want to know who on my friends list is doing it. it would really help if we could find out who sends us messages because then i can sort out whoever is sending sick messages.

  5. Hey there!
    We are having a project in class about hacking diffrent softwares such as; facebook, Hotmail, yahoo and so on.. we would like to know where do you guys get the codes for facebook and so on..

  6. Sarah…did u NOT just read what he wrote. I’m not trying to be a jackass, but seriously the guy said he would completely ignore stuff like that and he made it clear. Jeez.

    …and it was sarcasm, then…FAIL.

  7. Daniel… Daniel, Daniel, Daniel.

    If you are “…having a project in class about hacking…(sp)” and you don’t even know how to get the codes, give up. Tell your teacher they’re a failure. If it’s a student assignment and you’re trying to figure out how to do it yourself, still give up.


  8. unknowncommand says:

    hello hello, i am getting creeped out seriously. people are sending me stuff like cute, hot, i dont know im just getting effin freaked out >< and can you help me?

  9. Anthony says:

    I really need to find out who this person is. Just read what they said “ur gay, u think ur popular, u complain when ppl call u gay in ur honesty box but u dont change how u act and u still think ppl r gonna stop calling u gay, u listen to girl music, ur gay, u hang out with losers (exept for amanda) and u think that ur friends with all the populars but ur RELLY NOT!!! go fuck urself and stop being gay.”
    I seriously need to find out who it is. I’ve been harassed before, but not like this.

  10. Well that’s gay u tell them.. leave the hole open for a while then tell them to fix it well that stupid as hell why dont u let other people doit! Have some fun to ya know..

  11. u r an idiot says:

    u r an idiot…..u work a whole year to figure it out than ur gonna go run to the app developers and tell them for what….so they can say good job ur sooo good…ur pathetic u disgust me

  12. Camillia says:

    I just wanted to say thanks for your efforts and time. I’m really glad you’re mature enough to send this information to the developers rather than keeping it for yourself and using it for bad things.

    It’s very true that people should be willing to say what they think to a person’s face, but it’s hard for a lot of insecure people who think they will be shot down. But honestly? (Put not intended) It gets way out of hand. If it was to be hacked easily then there would be absolute chaos!

  13. Honesty box is just another application for people with lame ass existances of life go to bring other people down. Screw em they are just a bunch of people who are jelouse anyawys. Put your profile on private because people can write in your honesty box if everyone can see your facebook. AND if you still keep getting nasty comments when its private than you will really know you just have some fake ass “friends” who have no life.

  14. The only thing worst than that stupid honesty box app is someone who hacks it, publishes that they hacked it, and then keeps the hack private. This is the most self-righteous BS i have ever seen. This is major fail, pretentious crap to even publish this. You should be ashamed lol.

  15. If the hole has been patched, why not give some details? The whole point of publishing hacks to learn something.

    What critical mistake was made when the new features were added?

  16. This would actually make my life if I could find out who this guy is I’ve been talking on Facebook for over two weeks! He won’t accept any of my bribes and I need to know! Please Help, thank you!

  17. Ethan T is a FLAMING homo.