[Please note that I’m a 19-year-old French student, writing a story for the first time. Feel free to give me any advice that comes to your mind.]

TL;DR : The story of how I nearly got expelled from middle school for having made a Facemash, a beauty ranking website with 64 000 hacked pupils’ pictures, like Mark Zuckerberg at Harvard. It was a large scale “URL Fuzzer” hack.

The vulnerability discovery

In 2010, I was fond of computer science (and still am) and I was in 7th grade (11 years old, UK : 8th, FR : 5ème) in a small middle school in France. At that moment, I had only developed a little PHP/MySQL blog for friends, mostly inspired by (copied from) an Openclassrooms’ tutorial.

My school was using an online software program on which pupils could look for homework, and teachers could take attendance. To help teachers, a picture of every schoolboy was displayed. You may start to imagine what happens next.

The url of my own picture was pretty simple : https://url-my-school.fr/photos/pupils/4256.jpg

Just for fun I tried to replace the number by another, and guess what, I landed on the picture of a classmate. At this moment, I was amused by this possibility, but I couldn’t find anything else to do than entering random numbers.

The idea and the theory

During the following summer holidays, while I was watching a movie on the TV, a brilliant idea coincidentally came to my mind. I was actually watching The Social Network and it was Mark Zuckerberg’s brilliant idea, not mine.

I was going to hack my school website and develop a beauty ranking website. As a nod to Zuckerberg, I thought precisely copying the Facemash website from the film and filling it with my classmates’ pictures.

At 12 (and still now), I wasn’t owning any laptop, so I borrowed my father’s one and installed everything I needed, namely Wamp and Notepad++. My only problem was that the school software was off during holidays, so I had to work without the real website.

So I started working on a way to fetch all pictures from a fake folder “photos/pupils/” filled with randomly numbered pictures. It may sounds as a simple “hack”, but please consider that at 12, I didn’t even know what a “SQL Join” was, or how to use Javascript. I only knew a little about PHP at this time. Nevertheless, after a few days, everything was working fine.

Sample from my code. A great mix of HTML/JS/PHP and even SQL injection in the same page :)

I was trying to fetch every possible pictures in HTML <img> tags, starting by “1.jpg”, “2.jpg”… until “10000.jpg”. A little Javascript code was ticking a checkbox when the <img> tag was more than 10px height, which means the picture existed. The result of this operation was simply saved in a MySQL database with PHP. I just had to wait for the start of school and I would be able to list pupils’ pictures.

Now I needed to develop the Facemash website. It was quite simple with PHP and I reproduce the only screenshot I founded on the Internet, from the Social Network Wiki. Two pictures were randomly displayed to the user who just had to choose “Who’s hotter” by clicking on a picture. Simple.

Screenshot from thesocialnetwork.wikia.com

The practice then the catch

A few days after the start of school, we had access to our school online software. Without waiting, I tried my hack script. It took approximately 10 minutes to hack 400 pictures but it work, without any problem.

At that point I didn’t know what to do with this Facemash copy. For sure, I didn’t want to be kicked out from school, like Zuckerberg. So I didn’t share it to anyone.

I decided to act as a white hat and I went to my network administrator who manage the software.

“Hello sir, I just want to show you a little exploit I found in the school website”

“Oh!? A exploit?”

But as expected after showing him the bug : “You scared me when you used the word «Exploit». But don’t worry, it’s not a bug. ”

Don’t worry, it’s not a bug.

I was really disappointed and a little bit frustrated so after school, I shared the website with two classmates. But I made two mistakes : the first one was to send the link through the school webmail, the second was to share it with people I couldn’t trust at all.

Things started going wrong the very next day. Hopefully a teacher informed me that even though she hadn’t understood everything, I was going to have a lot of trouble. She might not understand but I immediately did. Without any reflection I put Facemash offline.

What a good idea. I was shortly taken to the Vice-Principal office where the network administrator and my year head teacher were waiting for me. They were trying to access to Facemash and I quickly assured it was offline.

They didn’t believe me, excepting the administrator which strangely changed his mind about the severity of the exploit I used. It’s amazing how parents complaints could make my work more serious. But it was true, Facemash was offline and without any evidence they could only give me a lecture.

Let’s going further

You’re going to tell me : “You’re a liar, it’s absolutely not a coutrywide Facemash!” True. It’s wasn’t yet.

A year later, I might be bored and without any interesting little project. I thought big and modified my script in order to work for every school which use this software.

During one week after school, I hacked as many pictures as I could, sometimes 10 websites at the same time. I picked url from the official software project website, but above all from Google. The Google dorking technique worked perfectly, exposing more than 400 French schools. Thus, half of them didn’t return me any pictures.

Precisely 64276 students pictures from 243 different schools

At the end, I had founded more than 64 000 French pupils pictures. It was a huge Facemash. A lot bigger than Zuckerberg’s one.

But I didn’t do anything with it. I didn’t even share it with a single person.

Final Words

This vulnerability have been fixed in 2012 by the add of a random string before the picture’s name. The project in question, is a free and open-source software mainly developed by teachers. Their responsiveness and the open source development model have allowed this bug to be quickly fixed, before the vulnerability fell into the wrong hands.

I hope you enjoy my story. Once again, feel free to contact me for any question. I will gratefully receive any comments or suggestions to improve my writing. Thanks.