Hacking Facebook Accounts Through Facebook Applications [Report]
Facebook is one of the most popular social networking sites as a result of which it is the number 1 target of hackers, Facebook has implemented lots of security on the server side as a reason of which hackers attack clients instead of attacking the server, In simpler words, hackers don't attack Facebook itself but instead attack Facebook users, this is where attacks such as phishing, keylogging comes in to play.
In the past, we have written several posts related to Facebook hacking and security, however, in this post we will not discuss any of the previous methods we have discussed earlier. In this post,
we will tell you how to hack a Facebook password with Facebook applications.
According to CNET:
A very simple example is hacking Facebook username and password through static FBML. The hacker creates an application or a page that the user can find 'believable'. The user clicks on the page and checks the URL and the year the Facebook application/page was created. Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent and this way the hacker gets all the information he needs about the user.
According to the summary of 2600 article:
1. The user clicks the link and the session (cookies) can now be accessed by the hacker. Using just that, the hacker can log into anyone's account without a username and password.
2. The user sifts through the URL and once found, they enter their username and password.
3. After hitting the button, the user checks the password and a page pops up stating a 'Thank you' message and a password rank page will popup.
4. When the user checks their email spam, there must be an email and it will ask the user to try their password again.
To Make Sure That Your Account Doesn't Get Hacked:
1. Don't click on a link from a person you don’t know.
2. Facebook is not going to ask if your password is strong or not.
3. Never trust any Facebook Applications.
According to CNET:
Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.
A very simple example is hacking Facebook username and password through static FBML. The hacker creates an application or a page that the user can find 'believable'. The user clicks on the page and checks the URL and the year the Facebook application/page was created. Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent and this way the hacker gets all the information he needs about the user.
According to the summary of 2600 article:
In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.
The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.
The Steps To Hacking Aren't Too Difficult:
2. The user sifts through the URL and once found, they enter their username and password.
3. After hitting the button, the user checks the password and a page pops up stating a 'Thank you' message and a password rank page will popup.
4. When the user checks their email spam, there must be an email and it will ask the user to try their password again.
According to Microsoft's Larry Osterman:
It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code.
To Make Sure That Your Account Doesn't Get Hacked:
1. Don't click on a link from a person you don’t know.
2. Facebook is not going to ask if your password is strong or not.
3. Never trust any Facebook Applications.