Posts tagged: Facebook Hack

Oct 27 2011

Facebook Attach EXE Vulnerability

Summary:
When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

Description:
When attaching an executable file, Facebook will return an error message stating:
“Error Uploading: You cannot attach files of that type.”

Facebook Error Uploading

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name=”attachment”; filename=”cmd.exe”

It was discovered the variable ‘filename’ was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename=”cmd.exe ”

Facebook Post Hack

This was enough to trick the parser and allow our executable file to be attached and sent in a message.

Facebook Hot Stuff

Impact:
Potentially allow an attacker to compromise a victim’s computer system.

Affected Products:
www.facebook.com

Time Table:
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed

Credits:
Discovered by Nathan Power
www.securitypentest.com

Execution POC:

Aug 25 2011

Hacker Penetrated Facebook Servers

Glenn ManghamIn one of the first cases of its kind in Britain, Glenn Steven Mangham, 25, used “considerable technical expertise” to repeatedly bypass security at the world’s dominant social network, it was claimed.

The student, from York, faces five charges, including that he “made, adapted, supplied or offered to supply” a computer program to hack into a Facebook server, Westminster magistrates’ court heard.

Police sources described the incidents as one of the first investigations into attempts to illegally access the site, which boasts more than 750 million members worldwide.

One Scotland Yard source told The Daily Telegraph that detectives were not aware of any hacking attempts “to this extent” on the site in Britain. It is understood Mangham does not have a Facebook profile.

Mangham was arrested by officers from the Metropolitan Police’s Central e-Crime Unit in early June on suspicion of “computer hacking offences” before being charged earlier this month.

He appeared in court for the first time yesterday on what the judge, Nicholas Evans, described as “serious allegations” under the Computer Misuse Act.

He was banned from having any access to computers, his iPhone or “any devices capable of accessing the internet” while on bail. His lawyers argued the conditions were similar to forcing him into “exile”

“The court feels it will be safer if there was no access to the internet which will reduce the temptation for your son to go on to Facebook,” said Judge Evans.

Specialist cyber crime police allege that between April 27 and May 9 Mangham repeatedly hacked into a Facebook “puzzle server” using software he had downloaded.

The firm runs puzzle servers to allow computer programmers to test their skills. Mangham allegedly knew that doing so could disrupt its operation.

On April 29 he also tried to hack into a “mailman” server run by Facebook via his web browser, police claim. Such systems are used by firms to run internal and external email distribution lists.

Just over a week later he allegedly used software to “secure access to the Facebook phabricator server”. Phabricator is a set of tools designed by the firm to make it easier to build Facebook applications such as games.

Mangham had “made, adapted, supplied or offered to supply” a special software script to hack into the Phabricator server, the court heard.

Despite the extent of the alleged intrusions, Facebook said its users’ personal data was not compromised.

Aug 10 2011

Anonymous : Operation Facebook – November 5, 2011

“The more Facebook seems to dominate the world, the closer it seems to be to its end”.
Operation Facebook

Anonymous, the shady-yet-principled hacktivist group that has previously hacked into Iran’s government emails, the Pentagon, possibly the IMF, News Corp, Anders Breivik’s Twitter account, and much more, has a new target in its crosshairs: Facebook. The hackers have set the date for Facebook’s demise as November 5, 2011.

DATE: November 5, 2011.
TARGET: https://facebook.com
Press:
Twitter:
https://twitter.com/OP_Facebook

http://piratepad.net/YCPcpwrl09

Irc.Anonops.Li #OpFaceBook

Message:
Attention citizens of the world,

We wish to get your attention, hoping you heed the warnings as follows:
Your medium of communication you all so dearly adore will be destroyed. If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill facebook for the sake of your own privacy.

Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria.

Everything you do on Facebook stays on Facebook regardless of your “privacy” settings, and deleting your account is impossible, even if you “delete” your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more “private” is also a delusion. Facebook knows more about you than your family. http://www.physorg.com/news170614271.html
http://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iph….

You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.

The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It’s unfolding because people are being raped, tickled, molested, and confused into doing things where they don’t understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them “for their own good” while they then make millions off of you. When a service is “free,” it really means they’re making money off of you and your information.

Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged.

This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.

We are anonymous
We are legion
We do not forgive
We do not forget
Expect us

Will Anonymous be able to successfully lay waste to Mark Zuckerberg’s fortress? This is set to be the Internet showdown of the year.

Feb 22 2011

Facebook ClickJacking : Malware takes on new Italian disguises

Facebook users have been subjected to clickjacking attacks that force them to authorize actions they had no intention of approving.

The latest few campaigns seen by SophosLabs, for instance, target Italian users of the social network.
Facebook clickjacking

COCA COLA: Dopo aver visto questo video non berrò più coca cola. Svelata la ricetta segreta. Guarda il video verita

Which translates as: “COCA COLA: After watching this video you won’t drink Coca Cola. The secret recipe revealed. Watch the video truth.”
Facebook clickjacking

LO SCHERZO DI SAN VALENTINO CHE STA FACENDO IL GIRO DEL MONDO! TE RETO A VER ESTA PAGINA PARA 5 SEGUNDOS SIN REIRTE

Which translates as: “THE VALENTINE’S DAY JOKE THAT IS GOING AROUND THE WORLD! I CHALLENGE YOU TO VIEW THIS PAGE FOR 5 SECONDS WITHOUT LAUGHING.”

All of these Facebook scams use clickjacking techniques to trick the user into “liking” them.

SophosLabs is intercepting the suspicious pages as Mal/FBJack-A.

Facebook users can protect themselves from clickjacking threats like this by using browser plugins such as NoScript for Firefox.

NoScript

Source: NakedSecurity | Sophos

Feb 08 2011

Viral and Malicious Facebook Application Toolkit

During last weekend a viral rogue app campaign hit Facebook again. This time the application was called “Profile Creeps” which, like many other rogue applications before it, promises to do what Facebook simply doesn’t allow *ANY* app to do – let us know who looks at our profile. But users are still tricked into installing apps that promise to do just this. And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app.

Facebook Profile Creeps

let’s look at a very similar fraudulent application that “can” allow Facebook users to know who “creeps” at their profile, called “Facebook Profile Creeper Tracker Pro”. The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

“Facebook Profile Creeper Tracker Pro” and similar fraudulent applications
Facebook Profile Creeper Tracker

This application was built with a pre-defined toolkit called “Tinie app” which is a Facebook viral application template available in some variations for only $25 or even less. The next image is one of the template images in the toolkit that aims to give some directions to the buyer, besides the full-blown step-by-step guide that comes with the kit itself:

Tinie Viral App

The buyer doesn’t have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal.

Source: Websense Security Labs Blog