June 15, 2016Swati Khandelwal
Hacking Facebook account is one of the major queries on the Internet today.
It's hard to find — how to hack Facebook account or facebook messenger, but researchers found a way that can allow someone to hack Facebook account passwords with only the target's phone number and some resources.
Yes, your Facebook profile can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Hackers with resources to exploit SS7 network can hack your Facebook login and all they need is your phone number.
The weaknesses in the part of global telecom network SS7 that not only let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale but also let them hijack social media accounts to which you have provided your phone number.
SS7 or Signalling System Number 7 is a cell phone signaling protocol that is being used by more than 800 telecommunication operators worldwide to exchange information with one another, cross-carrier billing, enabling roaming, and other features.
However, an issue with the SS7 network is that it trusts text messages sent over it regardless of their origin. So, malicious hackers could trick SS7 into diverting text messages as well as calls to their own devices.
All they need is the target's phone number and some details of the target's device to initiate the silent snooping.
The researchers from Positive Technologies, who recently showed how they could hijack WhatsApp and Telegram accounts, now gave the demonstration of the Facebook hack using similar tricks, Forbes reported.
SS7 has long been known to be vulnerable, despite the most advanced encryption used by cellular networks. The designing flaws in SS7 have been in circulation since 2014 when the team of researchers at German Security Research Labs alerted the world to it.
The attacker first needs to click on the "Forgot account?" link on the Facebook.com homepage to reset your password.
Now, when asked for a phone number or email address linked to the target account, the hacker needs to provide the legitimate phone number.
The attacker then diverts the SMS containing a one-time passcode (OTP) to their own computer or phone, and can gain access to the target's Facebook account.
The issue affects all Facebook users who have registered a phone number with Facebook and have authorized Facebook Texts.
Besides Facebook, researchers' work shows that any service, including Gmail and Twitter, that uses SMS to verify its user accounts has left open doors for hackers to target its customers.
Although the network operators are unable to patch the hole sometime soon, there is little the smartphone users can do.
However, the important thing to note is that the issue has actually nothing to do with Facebook security or other website's security, instead it is the weakness in the telecom network.
"Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people," Facebook spokesperson told The Hacker News.
"As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings. Doing this will disable recovery via SMS on your account so even if someone has your phone number, they'll still need your password to access your account."
Update: If you think this technique is old and can not be used to hack your social media, bank or any online accounts, then you are mistaken.
A real-world SS7 attack has been spotted this month when some unknown hackers exploited the design flaws in the Signaling System 7 (SS7) to drain victims' bank accounts.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Share
Tweet
Share
Share
Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on TelegramSHARE
Facebook account hacking, Facebook hacking, gmail hacking, hacking news, How to Hack Facebook, interception, Signaling System 7, sms hacking, SS7, SS7 Protocol, twitter hacking
March 08, 2016Swati Khandelwal
Hacking Facebook account is one of the major queries of the Internet user today.
It's hard to find — how to hack Facebook account, but an Indian hacker just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Share
Tweet
Share
Share
Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on TelegramSHARE
Account password Reset, Bug Bounty Program, Facebook security, Hacking Facebook account, hacking news, How to Hack Facebook
A notification pops up on the smartphone screen: "We detected an unusual login attempt from Rio de Janeiro, Brazil.
" The first reaction is panic, especially if you live in, say, Vladivostok. What could it be? System failure? Or is someone from the other side of the world really encroaching on your account?
There is no way to panic in such a situation - this will only play into the hands of the burglars. So that you can remain calm and survive this incident with minimal losses, we will arm you with knowledge: we tell you what the matter might be and how to act.
First, let's figure out how a stranger could gain access to your account at all. There are several options here.
A third party site where you registered might have been leaked. Having acquired a list of logins, e-mail addresses and passwords, scammers use them for a substitution attack, that is, they try to enter stolen credentials on many sites. Unfortunately, many people set the same passwords to protect their accounts in different services - this is what criminals are counting on.
Alternatively, your Facebook or Instagram credentials may have been leaked from the app you trusted them to. For example, in June last year, thousands of passwords from Instagram accounts leaked to the network, the owners of which used the Social Captain service to buy likes and followers. It turned out that he did not encrypt customer data, and anyone could get access to it. It is reasonable to assume that many users of the service have since experienced hacking attempts.
It may also be that some time ago you fell for phishing, and your login with a password fell into the hands of scammers directly. They clicked on some link, and on the page that opened, very similar to the Facebook or Instagram login screen, they entered their credentials. So they ended up with the criminal. For example, most recently, our experts discovered a phishing campaign in which victims were lured to phishing pages by the threat of blocking their Facebook account due to copyright infringement.
Your password may have been stolen by malware you picked up somewhere. Many Trojans have a built-in keylogger, a program that registers keystrokes on the keyboard. All logins and passwords that the victim enters, the keylogger directly passes into the hands of attackers.
Someone may have stolen your access token. So that you don't have to enter a password every time you log into Facebook or Instagram, it saves a small piece of information needed to log in to your computer, which is called a token or access token. If an attacker steals the current token, he will be able to log into the account without a username and password.
Tokens can be stolen in different ways. Sometimes this is done through vulnerabilities in Facebook itself - for example, in 2018, attackers were able to get access tokens to 50 million Facebook accounts. Also, attackers can use browser extensions to steal tokens.
It's possible that you logged into Facebook or Instagram from someone else's device - at a party, in an Internet cafe, in a hotel lobby, and so on - and did not log out after that.
Or, for example, they forgot to log out of their account on a device that they had already sold or donated. Now someone has discovered your oversight and logged into your account.
Your account may not have been hacked at all, but they are trying with a fake suspicious login notification. This is the same phishing that we talked about above, but a slightly different version of it. Instead of the threat of blocking, scammers can use fake suspicious login notifications with a link to phishing sites similar to the login page. Attackers expect that the victim in a panic will go to a fake site and enter their username and password there.
We have sorted out the possible causes, now it's time to act. To get started, log into your account - but in any case not through the link from the notification (as we already know, it can lead to a phishing site), but through the mobile application or by entering the address in the browser manually.
If the password does not match and you can no longer log into your account, refer to the detailed instructions on what to do if your account has already been hijacked, which we published earlier.
If you are still allowed into your account, go to your account settings and verify the authenticity of the notification. For each social network, the path to the desired settings item will be different - see how this is done on Facebook and Instagram. Then go to the “Account Logins” section: if there are no suspicious entries there, then everything is in order, and the message about the hack was still phishing.
If you really see a suspicious one in the list of logins to your account, then it's time to hurry up to take protective measures - timely actions will help soften the blow:
This will reset the access tokens. In emails, scammers pretend to be representatives of government agencies in order to swindle users of their personal data and money.
We tell how scammers deceive users of a well-known marketplace using a fake payment page for goods.
Security Security strategy User Internet Web Services
|
Share
The flaw, which Facebook closed in early 2020, allowed it to seize control of any account on the social network and its friendly services. Security researcher Amol Baikar (Amol Baikar) has identified a dangerous vulnerability in Facebook's OAuth authorization protocol. It allows you to access any social network account, as well as other services that are logged in using Facebook. The specialist spoke about this in his personal blog, emphasizing that the described bug has existed for about 9-10 years.
According to Baikar, the problem lies in the implementation of the "Login with Facebook" function, which uses the OAuth 2.0 authorization protocol to exchange authorization tokens between the social network site and other web resources. Thanks to this feature, Facebook account holders can freely use third-party Internet services that provide such an opportunity without additional registration.
The expert explained that an attacker could deploy a special website to intercept OAuth traffic and steal tokens that provide access to visitors' Facebook accounts. As a result, the "hacker" will be able to send messages, post in the feed, change account information, and perform any other actions on behalf of the victim.
In addition, the cybercriminal gets the opportunity to establish control over accounts on third-party resources, which can be used for authorization using Facebook. Many web services now provide this opportunity, including the social network Instagram, streaming services Netflix and Spotify, and the dating app Tinder.
Baikar informed Facebook about the discovered vulnerability on December 16, 2019. To his surprise, the company acknowledged the presence of the "hole" on the same day. What's more, she immediately released a fix.
Security researcher Amol Baikar found a way to hack any Facebook account using a decade-old flaw
However, later the researcher found errors in its implementation, about which he notified the company representatives on January 3, 2020.
On January 10, Facebook eliminated the shortcomings identified by Baikar.
On February 20, the expert received a $55,000 reward from Facebook as part of the Bug Bounty program for his work.
Over the past few years, Facebook has repeatedly found itself at the center of various scandals due to a careless attitude to the privacy of social network users, as well as the presence of serious vulnerabilities in other company products.
5 easy steps: how IT companies can get a grant
IT industry support
For example, in July 2019, a vulnerability was discovered in the mobile version of Instagram (part of the Facebook ecosystem) that allowed an attacker to reset the password for absolutely any account and gain full control over it.
In April 2019, Facebook was convicted that when registering on a social network, a user's password to his email address could be requested if the client's email service causes some suspicions in the system.
The list of "suspicious" was also the popular Russian service "Yandex.mail".
In March 2019, it was discovered that tens of thousands of company employees could have access to other people's Facebook and Instagram pages, since the passwords of hundreds of millions of users were stored on the company's servers in clear text. Moreover, the social network officially recognized the existence of a problem only after a third-party information security specialist with connections within the company spoke about it on the Internet.
In September 2018, Facebook acknowledged the data breach of over 50 million account holders. The cause of the hack was a serious vulnerability in the Facebook code. It was eliminated as soon as possible, and law enforcement agencies were notified about the incident.
Alexander Gubinsky, Samaraavtozhgut: How we received a grant for the implementation of computer vision
IT industry support
In November 2018, it became known that the social network was unable to repel cybercriminals, as a result of which personal information about more than 120 million network users ended up in the hands of hackers.
