Social Articles - H 2020 1 2 3 4 5 6 7 Social List - H 2021 2020 2019 2018 1 Social blog Social blog
A new loophole allowed an expert to delete any video on Facebook
24.1.2017 securityaffairs Social
Facebook has fixed a serious security bug that could have been exploited by hackers to delete any video shared by anyone on their wall.
A new bug was discovered in the Facebook platform by the security researcher Dan Melamed, the flaw could be exploited to delete any video shared by anyone on their wall.
Dan Melamed explained that a similar issue was discovered in June 2016 by the Indian security researcher Pranav Hivarekar who demonstrated that was able to delete any video by exploiting a security issue that exists in the recently introduced video comment feature.
The new but discovered by Melamed allowed him to delete any video on Facebook shared by anyone without having any permission or authentication. The expert also discovered that was possible to disable commenting on the video of your choice.
“Back in June of last year I discovered a critical vulnerability that allows me to remotely delete any video on Facebook. In addition, I also had the ability to disable commenting on any video. This allows a bad actor the ability to delete videos on Facebook without permission or authentication.” states the blog post published by Melamed.
The expert detailed the steps to exploit the vulnerability. He first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
The expert analyzed a POST request while uploading a video using the Fiddler debugging proxy and noticed the presence of a Video ID that could be manipulated. Melamed discovered that was possible to replace the Video ID value of the video he uploaded with Video ID value of any other video, in turn, the platform responded with a server error (i.e. “This content is no longer available,“).
Despite the error message the new video was successfully posted and displayed on the user’s wall.
Once posted the video, Melamed deleted the event post and eventually deleted the attached video, this operation triggered the removal of the video from Facebook and the wall of the victim.
“You will also notice in the drop down section that there is the option to “Turn off commenting.” This allows you to disable commenting on the video of your choice,” Melamed writes.
This simple sequence of action allowed the researcher to delete any video on Facebook, below a video PoC of the hack:
Melamed reported the vulnerability to Facebook which solved the problem in a couple of weeks earlier 2017. Facebook rewarded the bug hunter $10,000 under its bug bounty program.
This Bug Could Allow Hackers to Delete Any Video On Facebook
23.1.2017 thehackernews Social
A security researcher has discovered a critical vulnerability in Facebook that could allow attackers to delete any video of the social networking site shared by anyone on their wall.
The flaw has been discovered by security researcher Dan Melamed in June 2016, allowing him not only to remotely delete any video on Facebook shared by anyone without having any permission or authentication but also to disable commenting on the video of your choice.
Here's how to exploit this flaw:
In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
While uploading the video, the researcher tampered the POST request using Fiddler and then replace the Video ID value of his video with Video ID value of any other video on the social media platform.
Although Facebook responded to this issue with a server error, i.e. "This content is no longer available," but the new video was successfully got posted and displayed just fine.
Once this task was accomplished, Melamed deleted his event post, which eventually deleted the attached video.
And guess what? This in turned removed the video from the social networking site and the wall of the victim.
"You will also notice in the drop down section that there is the option to "Turn off commenting." This allows you to disable commenting on the video of your choice," Melamed writes.
Video Demonstration
For more step by step details about the vulnerability and how it works, you can watch the proof-of-concept video demonstration above which shows the Facebook video deletion attack in action.
Melamed responsibly reported the vulnerability to the Facebook security team, which patched the vulnerability within two weeks at the beginning of this year.
Shortly after patching the flaw, the social media giant rewarded him $10,000 bug bounty for his efforts.
This is not the very first time when such vulnerability has been disclosed in Facebook that could have allowed attackers to delete any video from Facebook. Bug bounty hunters continuously find and report such bugs to keep the social media platform safe and secure.
OurMine crew hacked the New York Times Twitter video account
23.1.2017 securityaffairs Social
The New York Times is investigating the hack of its Twitter video account (@nytvideo) that was used to post a fake news on Sunday morning.
@nytvideo is the newspaper is the New York Times video account and has more than 250,000 followers on the platform.
Yesterday around 9:40 a.m. ET the Twitter account shared a fake news about a missile attack from Russia against the United States. The message about the “missile attack” quoted a “leaked statement” from Russian President Vladimir Putin.
That fake news was quickly deleted, while other tweets were claiming the involvement of the dreaded OurMine hacker group. The group, who hacked the Netflix US Twitter account (@Netflix) in December to promote its website and hacking services, is known for its attacks against high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.
One of the messages shared by OurMine confirmed that the group is responsible for the hijacking of the Sony Music’s Twitter account occurred last month when the hackers tweet a hoax about Britney Spears’ death.
Below the messages shared by the group:
“Message from OurMine: We detected unusual activity on the account and we re-hacked it to make sure if the account is hacked or not,” read one tweet posted to the @nytvideo account Sunday.
All the messages were deleted by IT staff at The York Times, the account also posted a message to confirm that a series of tweets published from the account “without our authorization” were removed.
Follow
New York Times Video ✔ @nytvideo
We deleted a series of tweets published from this account earlier today without our authorization. We are investigating the situation.
4:17 PM - 22 Jan 2017
188 188 Retweets 146 146 likes
“We are investigating the situation,” that tweet read.
Hacker found a way to hack Facebook by exploiting the ImageMagick flaw
18.1.2017 securityaffairs Social
The bug hunter Andrew Leonov has described how to exploit an ImageMagick flaw to remotely execute code on a Facebook server.
The hacker Andrew Leonov (@4lemon) has described how to exploit the so-called ImageMagick vulnerability to remotely execute code on a Facebook server.
The ImageMagick flaw, tracked as CVE-2016-3714, affects the popular image manipulation software, ImageMagick. The flaw could be exploited by hackers to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.
Follow
Andrew Leonov @4lemon
@Facebook #ImageTragick remote code execution http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html … #RCE #BugBounty
11:28 AM - 17 Jan 2017
208 208 Retweets 258 258 likes
The researcher has detailed in a post the attack and also provided a proof-of-concept exploit for the hack, Facebook has awarded him with the highest payoff since now, US$40,000.
“Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog:” wrote Leonov.
https://www.facebook.com/dialog/feed?app_id=APP_ID&link=link.example.tld&picture=http%3A%2F%2Fattacker.tld%2Fexploit.png&name=news_name&caption=news_caption&description=news_descriotion&redirect_uri=http%3A%2F%2Fwww.facebook.com&ext=1476569763&hash=Aebid3vZFdh4UF1H
“Which many of you could see. If we look closer we can see that a `picture` parameter is a url. But there isn’t image url on page content like mentioned above.” added Leonov.
The expert has discovered the vulnerability after a service redirected him to the Facebook platform, initially he was he was convinced he had discovered a server-side request forgery vulnerability.
“First of all I thought about some kind of SSRF issue. But tests showed that url from this parameter requested from 31.13.97.* network by facebookexternalhit/1.1.”
After testing the application, the expert devised the following workflow:
Gets `picture` parameter and requests it – this request is correct and not vulnerable
Received picture passes on converter’s instance which used vulnerable ImageMagick library
The management of the flaw was perfect, the expert reported the issue to Facebook through the bug bounty program in October and the IT giant fixed it in less than three days.
Simple Hack Lets Hackers Listen to Your Facebook Voice Messages Sent Over Chat
17.1.2017 thehackernews Social
Most people hate typing long messages while chatting on messaging apps, but thanks to voice recording feature provided by WhatsApp and Facebook Messenger, which makes it much easier for users to send longer messages that generally includes a lot of typing effort.
If you too have a habit of sending audio clip, instead of typing long messages, to your friends over Facebook Messenger, you are susceptible to a simple man-in-the-middle (MITM) attack that could leak your private audio clips to the attackers.
What's more worrisome is that the issue is still not patched by the social media giant.
Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Facebook Messenger's audio clip recording feature that could allegedly allow any man-in-the-middle attacker to grab your audio clip files from Facebook's server and listen to your personal voice messages.
Let's understand how this new attack works.
Here's How Attackers can Listen to your Personal Audio Clips:
Whenever you record an audio clip (video message) to send it to your friend, the clip gets uploaded onto the Facebook's CDN server (i.e., https://z-1-cdn.fbsbx.com/...), from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.
Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.
Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
That's it.
You might be wondering that how hackers are able to download your audio files so easily.
What went Wrong?
This is because Facebook CDN server does not impose HTTP Strict Transport Security (HSTS) policy that forces browsers or user agents to communicate with servers only through HTTPS connections, and helps websites to protect against protocol downgrade attacks.
Secondly, the lack of proper authentication — If a file has been shared between two Facebook users it should not be accessible by anyone except them, even if someone has the absolute URL to their file, which also includes a secret token to access that file.
As an example, Mohamed sent an audio clip to one of his friends over Facebook Messenger and here's the absolute link to the audio file extracted using MITM attack, which anyone can download from Facebook's server, even you, without any authentication.
"GET requests are something that the browsers can remember it in its cache also in its history, Better to have this files played via POST requests with an anti-CSRF token implemented," Mohamed told The Hacker News.
Still Unpatched; No Bug Bounty!
Mohamed reported the issue to Facebook, and the company acknowledged it, but haven't patched it yet. Facebook did not offer any bug bounty to the researcher, as the downgrade attacks do not come under its bug bounty program.
Here's what the Facebook security team told Mohamed:
"We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program."
"In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify."
You can watch the above proof-of-concept video demonstration, which shows this attack in action.
We have contacted Facebook security team for the comment and will update the story as soon as we hear from the company.
LinkedIn Lynda.com online learning platform started notifying users of data breach
19.12.2016 securityaffairs Social
Lynda.com is notifying customers a data breach, according to the company an unauthorized third party accessed a database containing user information.
Lynda.com is an online learning platform that was acquired last year by LinkedIn.
The company started notifying its customers over the weekend, hackers accessed learning data, including attempted courses and contact data. At the time I was writing there is no evidence of password exposure anyway and the company has notified law enforcement. LinkedIn, who owns the company, confirmed the incident and revealed that passwords of 55,000 users have been reset as a precaution, the overall number of impacted users could reach 9.5 million.
“You may have received an email notification from Lynda.com explaining that we recently became aware that an unauthorized third party accessed a database that included some Lynda.com learning data, such as contact information and courses viewed. We are informing users out of an abundance of caution.” reads the official statement from the company.
“We have no evidence that any data has been made publicly available.”
In response to the data breach LinkedIn announced further measures to protect Lynda.com user accounts.
This isn’t the first time LinkedIn suffers a data breach, in 2012 the company was hacked and data belonging to 117 million users were stolen by hackers. It was initially believed that the incident only affected 6.5 million accounts.
In October, the Czech police, working with the FBI, arrested a Russian man at a hotel in Prague that is suspected to be involved in the 2012 LinkedIn hack.
The cascading effects of the 2012 LinkedIn breach are still being felt throughout the business world. In June, CERT-Bund, Germany’s Computer Emergency Response Team for federal agencies, released a warning that corporate executives may be being targeted with malicious emails using information likely gained by hackers as a result of the 2012 breach.
CERT-Bund released a screenshot via its twitter feed, of an email containing a fake invoice targeting a business executive at an undisclosed organization.
In November, researchers from Heimdal Security reported a recent LinkedIn phishing campaign aiming to collect confidential information from unsuspecting users.
Ourmine hacked the Netflix’s US Twitter account
22.12.2016 securityaffairs Social
The OurMine crew has hacked the Netflix US Twitter account (@Netflix) to post s promoting its website and hacking services.
On Wednesday, hackers belonging to the OurMine group hijacked the Netflix’s US Twitter account (@Netflix).
OurMine took over the Twitter account to promote its website. The incident is very serious, considering that the Netflix US Twitter account has 2.5 million followers. An attacker could compromise the attack to deliver malicious links and infect a huge number of followers.
OurMine is a very popular hacker group, in has multiple high-profile Twitter accounts in the past. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.
Which is the motivation?
It seems that the OurMine group is linked to a Security Firm that is trying to obtain notoriety from the attacks and is offering its services to the targets, that evidently need them to avoid further incidents.
One of the messages posted by the group states:
“We are just testing people security (sic), we never change their passwords, we did it because there is other hackers can hack them and change everything.”
Back to the hack of the Netflix’s US Twitter account, the OurMice crew posted the following message to the hacked account:
“Don’t worry we are just testing your security,” states the post.
I strongly invite you to enable two-factor authentication for any platform that supports it.
At the time I was writing this post, @Netflix was restored to normality.
I’m trying to get in contact with the Ourmine crew for an interview … stay tuned!
Fraudsters are stealing money from several Groupon users
22.12.2016 securityaffairs Social
Many Groupon customers reported massive theft after crooks have placed orders in their name by using victims’ credentials likely retrieved elsewhere.
Fraudsters are targeting Groupon users stolen thousands of pounds from their bank accounts. Many customers reported a massive theft after crooks placed orders in their name by using victims’ credentials likely retrieved elsewhere.
Hackers take over the Groupon users’ accounts and place expensive orders, in one case the theft reached over £2,420.
Cyber criminals targeted customers of the online voucher service paying for holiday, gaming consoles (i.e. PlayStation 4) and iPhone with the hacked accounts. Below some of the messages posted on twitter by the victims:
Source The Telegraph
Of course, Groupon users are blaming the company for failing to detect the fraudulent activities, in many cases customers that have reported the suspicious transactions did not receive a response for several days.
Groupon clarified that its users are not at risk because its systems had been hacked, it confirms that fraudulent transactions were carried with account credentials stolen elsewhere, for example in one of the numerous massive data breaches recently occurred.
“What we are seeing is a very small number of customers who have had their account taken over by fraudsters,” said a spokesman for the company cited by the Telegraph. “As with any major online retailer, we take fraud extremely seriously and have a dedicated team to investigate customer issues as soon as they are reported.
“If someone believes they’ve been a victim of a fraudulent attack, we investigate it and if confirmed – block the account immediately and refund the customer’s money back to them.”
As usual, let me suggest to use strong passwords and never share them among multiple web services. When a service provides a two-factor authentication mechanism you have to enable it.
Beware of New Celebrity Sex Tape (Scam) Leaked on Facebook!
12.12.2016 thehackernews Social
If you came across a celebrity sex video on Facebook featuring Jessica Alba or any other celebrity, just avoid clicking it.
Another Facebook scam is circulating across the social networking website that attempts to trick Facebook users into clicking on a link for a celebrity sex tape that instead downloads malware onto their computers.
Once installed, the malware would force web browsers to display aggressive advertising web pages which include sites with nudity and fake lotteries.
The spam campaign was uncovered by researchers at Cyren, who noted that a malicious Google Chrome extension is spreading nude celebrity PDFs through private messages and posts on various Facebook groups.
If opened, the PDF file takes victims to a web page with an image containing a play button, tricking users that the PDF may contain a video.
Once clicked, the link redirects users of Internet Explorer, Firefox, or Safari to a web page with overly-aggressive popups and advertisements related to nudity and fake lottery.
But on the other hand, this celebrity sex tape scam makes the matter worse for Google Chrome users.
Beware of New Celebrity Sex Tape (Scam) Leaked on Facebook!
Once clicked on the scam link, Chrome desktop users are redirected to a fake YouTube page that leads up a pop-up window inviting victims to install a Google Chrome extension to view the videos.
Once victims get to install the malicious extension, the browser directs users to the Facebook.com login page and prompt them to re-authenticate, allowing attackers to collect Facebook users' credentials and then use their accounts to spread the malicious campaign further.
When analyzed the Chrome extension's source code, the Cyren team discovered that the extension comes with support for monitoring and intercepting web traffic in real-time, to determine what users can access through their browsers.
The malicious Chrome extension contains a long list of Antivirus and AntiSpam domains that it blocks and prevents the user from opening.
Besides this, the malicious Chrome extension also prevents victims from accessing the Chrome Extensions settings page, so that victims can not disable the malicious add-on.
"It also blocks the chrome extensions and chrome devtools tabs from being opened, preventing the user from uninstalling the malicious Chrome extension," the researchers say.
The PDF uploaded to Facebook is generated by selecting the name of a celebrity randomly from the script file and combining the selected name with random characters.
The name of celebrities includes Selena Gomez, Jessica Alba, Jennifer Lawrence, Hilary Duff, Paris Hilton, Rihanna, Kim Kardashian, Scarlett Johansson, Kelly Brook, Doutzen Kroes, Elodie Varlet and Nicki Minaj.
According to Cyren researchers, the cyber criminals behind this malicious spam campaign managed to upload their extension to the Chrome Web Store, though the extension has since been removed by the Google's security team.
How to remove the Malicious Chrome Extension?
To remove this malicious extension, the infected users would first have to delete the Registry key from the Registry Editor.
To do this, Go to Start Button → Type "regedit" in the Search/Run option, which will open the Windows Registry Editor.
Now, use the side menu in the new window to find the folder below, right-click it and select "Remove."
This is the path to the Registry Editor:
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extension
Now the second step is to remove the extension from the browser. Since the malicious Chrome extension prevents victims from accessing the native Chrome Extensions settings page, one must remove the extension by deleting the following folder from one's PC.
C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions
This action will remove all Chrome extensions from your computer. You have no option other than deleting the folder completely to get rid of the malicious threat, as you can not access the Chrome Extensions settings page to get the ID of the malicious extension.
Last but not the least, no celebrity recently have had their sex tape leaked (at least not one that's available online). So if you come across any link claiming to show a leaked sex tape of Jessica Alba, Jennifer Lawrence or any other, remember just to report it.
Russia is going to ban LinkedIn after court ruling. What’s next?
18.11.2016 securityaffairs Social
Russia is going to ban Linkedin after a court ruling that found the professional social network to be in violation of the country’s data protection laws.
violation of the country’s data protection laws.
On Thursday, a Moscow court has confirmed the decision to ban the professional social network LinkedIn in Russia. LinkedIn is violating the country’s data protection laws that ask foreign and Russian companies to store personal data of Russian users within the country’s borders since Sept. 2015.
This summer a court ruled in favor of Roskomnadzor, the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, explaining that LinkedIn company didn’t comply with Russian law.
LinkedIn it is not storing information about Russians on servers inside the country, and it is processing information about third parties who aren’t registered on the site and haven’t signed the company’s user agreement.
The Russian Personal Data Law was implemented since September 1st, 2015, it requests foreign tech companies to store the personal data of Russian citizens within the country. The Law was designed for protecting Russian citizens from surveillance activities of foreign agencies such as the NSA.
“On Aug. 4, Moscow’s Tagansky Court approved a request from Russia’s communications watchdog Roskomnadzor to add LinkedIn to a list of Internet sites that violated Russia’s personal data laws. ” reported the Moscow Times
“On Sept. 1 2015, amendments to the law “On Personal Data,” which requires the localization of personal data on the territory of Russia, came into effect. Any Russian or foreign company working with Russian users must ensure recording, systematization, accumulation, storage and clarification of personal data of Russians using databases on Russian territory.”
LinkedIn is just the first firm that could be targeted by the Roskomnadzor which is now threatening other tech giants, including WhatsApp, Facebook, and Twitter.
‘’The Russian court’s decision has the potential to deny access to LinkedIn for the millions of members we have in Russia and the companies that use LinkedIn to grow their businesses. We remain interested in a meeting with Roskomnadzor to discuss their data localization request.” “reads a statement from Linkedin.
Some companies like Google and Apple have already moved some of their infrastructures to Russia this year, differently from Microsoft, Facebook and Twitter that decided not to comply with the Russian law.
The ban could take effect today, with Russian internet service providers blocking access to LinkedIn. LinkedIn could still appeal the court’s decision to avoid being blocked across the country.
Russia isn’t the unique country that is going to adopt a similar law, the Germany passed similar legislation that forces tech companies to store German users’ data on servers located in the country.
“A number of American tech companies are investing billions of dollars combined to build data centers across Europe to comply with such rules.” reported the NYT.
In Brazil, a judge also blocked WhatsApp, the internet messaging service, after the company, which is owned by Facebook, refused to hand over data to help in a criminal investigation.
In May, a Brazilian judge ordered to block access to the WhatsApp messaging service for 72 hours, it was the second time in five months.
Brazilian authorities ordered ISPs to block WhatsApp in a dispute over access to encrypted data. The order to block the messaging service for 72 hours has been issued by a judge from the Brazilian state of Sergipe, the ISPs were obliged to comply the order to avoiding face fines.
According to the Brazilian newspaper Folha de S.Paulo the ban impacted more than 100 million Brazilian users.
A Facebook glitch declared all its users are dead, including Zuckerberg
18.11.2016 securityaffairs Social
Facebook users who logged on to their accounts discovered that their accounts turned to a “memorialized account,” due to their alleged death.
Funny as it is disturbing, but the technology can also do this and this time it has happened to Facebook. This night the Tech giant declared everyone dead due to a glitch.
The memorial feature was implemented by Facebook in 2015 to allow families access their loved ones’ social accounts after the death.
This glitch was first discovered by the employees at the Business Insider.
“A Facebook bug is displaying people as having died when visiting their profile page.” reads the post published by the Business Insider.
“Multiple Business Insider employees reported seeing the message at the top of their Facebook profiles on Friday, and the bug appears to also be affecting Facebook CEO Mark Zuckerberg.”
On Friday afternoon, users who logged on to their accounts discovered that their accounts turned to a “memorialized account,” due to their alleged death.
facebook-mobile-logo
Of course, the platform considered also the CEO Mark Zuckerberg as dead.
“We hope people who love Mark will find comfort in the things others share to remember and celebrate his life.” reads a statement on the Mark Zuckerberg’s profile.
Now imagine the impact on the visitors of the FB pages of their friends or popular individuals.
The colleagues at THN reached out to the company for an explanation:
“For a brief period today, a message meant for memorialized profiles was mistakenly posted to other accounts. This was a terrible error that we have now fixed. We are very sorry that this happened and we worked as quickly as possible to fix it.” a Facebook spokesperson told THN.
But Facebook is magic, and he has given us new life once it has solved the problem.
We resurrected!
Let’s remind that users can opt to have their account completely delete after their death or turn into a memorial page. The page allows friends and families to leave messages and share memories on their profile.
Facebook Buys Leaked Passwords From Black Market, But Do You Know Why?
11.11.2016 thehackernews Social
Facebook is reportedly buying stolen passwords that hackers are selling on the underground black market in an effort to keep its users' accounts safe.
On the one hand, we just came know that Yahoo did not inform its users of the recently disclosed major 2014 hacking incident that exposed half a billion user accounts even after being aware of the hack in 2014.
On the other hand, Facebook takes every single measure to protect its users' security even after the company managed to avoid any kind of security scandal, data breach or hacks that have recently affected top notch companies.
Speaking at the Web Summit 2016 technology conference in Portugal, Facebook CSO Alex Stamos said that over 1.3 Billion people use Facebook every day, and keeping them secure is building attack-proof software to keep out hackers, but keeping them safe is actually a huge task.
Stamos said there is a difference between 'security' and 'safety,' as he believes that his team can "build perfectly secure software and yet people can still get hurt."
Stamos was former Chief Information Security Officer at Yahoo who left the company in 2015 after discovering that its Chief Executive Marissa Mayer authorized the government surveillance program.
Stamos joined Facebook in summer 2015 and now leads the security team at the social network. He said that the biggest headache he deals there with is caused by passwords users keep securing their accounts.
"The reuse of passwords is the No. 1 cause of harm on the internet," said the security chief.
According to him, the username and password system that was initially introduced in the 1970’s will not help us now in 2016.
As CNET reports, when passwords are stolen in masses and traded on the black market, it becomes apparent just how many of users are choosing the weakest passwords, such as 12345 and password, to secure their online accounts, automatically making their account more vulnerable to being hacked.
And this issue is something the social network giant is keen to help its users avoid.
In an attempt to check that its users are not making use of these commonly used passwords for their Facebook accounts, Stamos disclosed that the company buys passwords from the black market and then cross-references them with encrypted passwords used on its site.
Stamos said that the social network then alerts tens of millions of users that their passwords needed changing as they were not strong enough to protect their accounts.
Facebook provides you a whole bunch of tools to tighten up the security of your account, including traditional two-factor authentication, identifying faces of friends, as well as machine learning algorithms to determine and inform whether activity on your account is fraudulent.
Users are always advised to enable Two-factor authentication, which is an effective measure to keep a tight hold on your account even after hackers have your credentials.
Another new measure tackles the issue of account recovery. So, even if hackers find their way into your email account that could allow them to seize your Facebook account easily by resetting your password, the social network allows you to let your close friends verify account recovery request on your behalf.
Facebook agrees to Stop using UK Users' WhatsApp Data for Targeted Ads
8.11.2016 thehackernews Social
In August, Facebook introduced a hugely controversial data sharing plan to start harvesting data from its WhatsApp messaging app from September 25 for delivering more relevant ads on the social network.
Many users were not happy with the move, because there was no real way of opting out from the data sharing – WhatsApp users could only do so within a short period – and even if users did opt out then, some data would still be shared.
Eventually, some countries like Britain stood up and opposed the decision.
The Information Commissioner's Office (ICO) of the United Kingdom has asked Facebook and WhatsApp to better explain the changes to its customers in the U.K. And if they don't, the ICO could hand out a heavy fine.
What's the good news?
In response, the social media giant has agreed to "pause" sharing of data, including their phone numbers, between WhatsApp and Facebook in Britain to target advertisements on its core social network.
"We have now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to customers how their data will be used, and to giving users ongoing control over that information," Elizabeth Denham, the Information Commissioner, wrote in a blog post.
"I don't think users have been given enough information about what Facebook plans to do with their information, and I don't think WhatsApp has got valid consent from users to share the information."
When Facebook announced this deal late August, Denham said she would investigate the changes to the Britain's data protection laws, and has now issued an update revealing the social networking giant has agreed to hold off data sharing from UK users.
Denham said that its users right to have control over their data and she now wanted Facebook and WhatsApp to let users restrict access to their information beyond the existing 30-day period, and let them completely opt-out of the agreement at any time.
When Facebook acquired WhatsApp for $19 Billion in 2014, users were worried about the company's commitment to protecting its users' privacy. But, WhatsApp reassured them that their privacy would not be compromised in any way.
But after the deal, the WhatsApp users felt betrayed by the company.
After introducing end-to-end encryption, WhatsApp has become one of the most popular secure messaging apps, but this shift in its privacy policy may force some users to switch to other secure apps like Telegram and Signal.
Neither Facebook nor WhatsApp has yet responded to the Information Commissioner's announcement.
Watch out! A new LinkedIn Phishing campaign is spreading in the wild
6.11.2016 securityaffairs Social
Experts from Heimdal Security reported a recent LinkedIn phishing campaign aiming to collect confidential information from unsuspecting users.
Phishing attacks continue to be a serious threat, crooks exploit paradigms such as social medial platforms and mobile in the attempt of stealing sensitive data.According to 2015 Verizon Data Breach Investigation Report, 23% of email recipients open phishing messages and 11% click on malicious attachments … and this is just the tip of the iceberg.
Experts at Heimdal Security reported a recent LinkedIn scam aiming to collect confidential information from unsuspecting users.
The attack vector is an email like this:
Wait, LinkedIn is requesting files from me? LinkedIn is requesting to send documents via email to confirm my identity?
Unfortunately, many users fall victims of this absurd invite.
The email asks for a payment receipt, so premium LinkedIn users could fall into the trick of sending their payment information.
Giving a close look at the sender’s email address
postmaster [@] fnotify.com
It is easy to notice that the message doesn’t come from the professional social media platform.
The domain used by phishers http : [//]fnotify.com/ is an empty WordPress website, likely a compromised website used for the campaign.
The message also requests victims to upload the document to a Dropbox folder, that is alarming, none will ask you to upload your ID document to a cloud storage platform.
“The Dropbox link is clean when scanned through VirusTotal, which shows that this recent campaign has not yet been picked up by antivirus solutions.” states the analysis published by Heimdal Security.
Another element that should raise suspicion is the time limit referred in the email, a classic social engineering approach used to trick victims into following the instructions provided in the message.
Now let’s analyze the link in the top right corner of the message, it leads to a password reset page, secured with HTTPS.
“The link is placed on the recipient’s name and leads to a password reset page, secured by HTTPS. Strangely enough, this is actually a safe page, which could prompt the email recipients to believe that the rest of the email is valid and legitimate as well.” continues the analysis.
Going forward, the experts noticed many other strange issues, I invite you to give a look at the analysis. Awareness of such kind of scams is important to make them ineffective.
To report phishing messages you’ve received, please email phishing@linkedin.com.
LinkedIn to get Banned in Russia for not Complying with Data Localization Law
27.10.2016 thehackernews Social
The world's largest online professional network LinkedIn could face a ban in Russia after the company has failed to comply with a Russian data localization law that compels companies to keep data on Russian users in their country.
If you are not aware, LinkedIn is the only major social network which is not banned in China, because the company agreed to cooperate with the Chinese government and remove controversial content.
However, LinkedIn could be the first social network in Russia to be blocked by the Russian state's federal media regulator, called Roskomnadzor, for not complying with the rules.
In July 2014, the Russia approved amendments to the Russian Personal Data Law which came into force in 1st September 2015, under which foreign tech companies were required to store the personal data of its citizens within the country.
However, Russia was not the first country to enforce such law on foreign tech companies. A few months ago, Iran also imposed new regulations on all foreign messaging and social media apps to move 'data and activity' associated with Iranian citizens onto servers in Iran within one year.
The law was in an attempt to protect its citizen's data from the NSA's mass surveillance revealed by whistleblower Edward Snowden.
Big technology companies, such as Google, Apple, and Viber, have reportedly already moved some of their servers to Russia this year.
However, companies like Facebook, Microsoft, Twitter denied complying with the law. But, the Russian Internet watchdog Roskomnadzor has targeted LinkedIn in its first attempt to pressurize foreign companies to comply with its new privacy law.
Roskomnadzor has chosen LinkedIn its first target due to the company's history of security problems. The massive 2012 hack in LinkedIn exposed over 117 Million passwords and usernames.
"They have a bad track record: Every year there’s a major scandal about the safety of user data," Roskomnadzor spokesman Vadim Ampelonskiy told the Moscow Times.
Roskomnadzor said not even LinkedIn refused to move its servers to Russia, but the company also collects and sends data about its citizen who are not even users of the social network without their consent.
"We are seeking a court order to block LinkedIn. We twice sent requests in the summer, but they did not provide answers to our questions," Ampelonskiy told the TASS news agency.
Moscow’s Tagansky District Court has also ruled in favor of the Roskomnadzor, though LinkedIn has appealed to a higher court for removing the ban. The Moscow City Court will announce the decision on November 10.
The watchdog says they will remove the ban if the social networking company provides information that it has comply with the law and moved its servers with data about Russians to their country.
Roskomnadzor – also known as the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications – is Russia's telecoms watchdog that runs a huge blacklist of websites banned in Russia.
‘Adult’ video for Facebook users
17.10.2016 Kaspersky Social
In April of this year, we registered some mass attacks on Facebook users in Russia. As a result, many Russian-speaking users of the social network fell victim to fraudsters. Half a year later the fraudsters have used the same tactics to attack Facebook users in Europe.
The attackers use a compromised Facebook account to post a link to an adult video that is supposedly on the popular YouTube service. In order to attract potential victims, “likes” are added from the account holder’s list of friends. The fraudsters rely on the user or their friends being curious and those who would like to watch an “18+” video.
Clicking on the link opens a page made to look like YouTube.
However, a quick look at the address bar is enough to see that the page has nothing to do with YouTube. During the latest attack the fraudsters distributed a “video” located on the xic.graphics domain. The domain is not currently available, but we discovered more than 140 domains with the same registration data that can be used for similar purposes.
After trying to start the video, a pop-up banner appears prompting the user to install a browser extension. In this particular example, it was called ‘Profesjonalny Asystent’ (Professional assistant), but we also came across other names.
The “View details” message explains that if the extension is not installed, the video cannot be viewed.
The attackers are banking on an intrigued victim not being interested in the details and just installing the extension. As a result, the extension gains rights to read all the data in the browser, which the fraudsters can later use to get all the passwords, logins, credit card details and other confidential user information that is entered. The extension can also continue spreading links to itself on Facebook, but now in your name and among your friends.
We strongly recommend not clicking such links and not installing suspicious browser extensions. It’s also worth checking if any suspicious extensions have already been installed. If any are discovered, they should be immediately removed via the browser settings, and the passwords for sites that are visited most often, especially online banking, should be changed.
Facebook, Twitter and Instagram Share Data with Location-based Social Media Surveillance Startup
12.10.2016 thehackernews Social
location-social-media-monitoring-tool
Facebook, Instagram, Twitter, VK, Google's Picasa and Youtube were handing over user data access to a Chicago-based Startup — the developer of a social media monitoring tool — which then sold this data to law enforcement agencies for surveillance purposes, the ACLU disclosed Tuesday.
Government records obtained by the American Civil Liberties Union (ACLU) revealed that the big technology corporations gave "special access" to Geofeedia.
Geofeedia is a controversial social media monitoring tool that pulls social media feeds via APIs and other means of access and then makes it searchable and accessible to its clients, who can search by location or keyword to quickly find recently posted and publicly available contents.
The company has marketed its services to 500 law enforcement and public safety agencies as a tool to track racial protests in Ferguson, Missouri, involving the 2014 police shooting death of Mike Brown.
With the help of a public records request, the civil rights group found that Geofeedia had entered into agreements with Twitter, Facebook, and Instagram for their users' data, gaining a developer-level access to all three social networks that allowed them to review streams of user content in ways that regular users of the public cannot.
The Denver Police Department recently signed a $30,000 annual deal with Geofeedia.
Here's what the major tech giants offered Geofeedia:
Facebook allowed the company to use its "Topic Feed API" that let Geofeedia obtain a "ranked feed of public posts" centered around specific hashtags, places or events.
Instagram provided Geofeedia access to its API (Application Programming Interface) that is a feed of data from users' public Instagram posts, including their location.
Twitter provided Geofeedia with "searchable access" to its database of public tweets. However, Twitter added additional contract terms in February to try to safeguard further against surveillance, and when found Geofeedia still touting its product as a tool to monitor protests, Twitter sent Geofeedia a cease and desist letter.
Facebook, Instagram, and Twitter have all moved to restrict access to Geofeedia after learning about the tool's activities when presented with the study's findings.
The ACLU is concerned that Geofeedia can "disproportionately impact communities of color" by monitoring activists and their neighborhoods.
Nicole Ozer, technology, and civil liberties policy director for the ACLU of California said: "These special data deals were allowing the police to sneak in through a side door and use these powerful platforms to track protesters."
However, in response to the ACLU report, Geofeedia posted Tuesday an article justifying its commitment to Freedom of Speech and Civil Liberties, releasing the following statement:
"Geofeedia has in place clear policies and guidelines to prevent the inappropriate use of our software; these include protections related to free speech and ensuring that end-users do not seek to inappropriately identify individuals based on race, ethnicity, religious, sexual orientation or political beliefs, among other factors."
Facebook said in a statement that Geofeedia only had access to publically available data, while Twitter said it was suspending access shortly.
The ACLU is encouraging social media companies to adopt clear, public, and transparent policies prohibiting developers from exploiting user data for surveillance purposes.
How to Start Secret Conversations on Facebook Messenger
7.10.2016 thehackernews Social
If you are looking for ways to start a secret conversation on Facebook Messenger with your friends, then you are at the right place.
In this article, I am going to tell you about Facebook Messenger's new end-to-end encrypted chat feature, dubbed "Secret Conversations," but before that, know why do you need your chats to be end-to-end encrypted?
Your online privacy is under threat not only from online marketers and hackers but also from governments. Just yesterday, it was revealed that Yahoo secretly built hacking tool to scan all of its customers' incoming emails for US intelligence officials.
So, to hide your personal life online from prying eyes, you need end-to-end encryption that allows you to send and receive messages in a way that no one, including the feds with a warrant, hackers and not even the company itself, can intercept or read them.
Last year, WhatsApp became the largest end-to-end encrypted messaging network in history by rolling out another layer of security to its billion users, and now Facebook has finally rolled out end-to-end encryption Secret Conversations feature for its 900 million users of Facebook Messenger.
Though unlike WhatsApp, Facebook Messenger offers end-to-end encrypted chat feature as opt-in, just like Google's Allo smart chat application that provides encrypted chat only if users opt for it.
Here's How to get Started with Secret Conversations:
facebook-messenger-secret-chat
Open Facebook Messenger on your Android or iOS device.
Open your existing conversation.
Tap the information icon in the upper right corner of your phone.
Select 'Secret Conversation'.
That's it. You're done!
Now, all your chats with your selected friend will be end-to-end encrypted that nobody can read or intercept.
This end-to-end encrypted Secret Conversations feature also include self-destructive messages that automatically deleted once the timer set by you get expired.
Messengers Secret Conversations feature is based on the Signal protocol — the same encryption protocol developed by Open Whisper Systems and used by Google's Allo and Facebook-owned Whatsapp.
Here's one thing to note is that you will not be able to send animated GIFs, share videos, or make money transfers in secret conversations, as these features are not supported.
Facebook rolled out Secret Conversations a few months back in July, but yesterday made it available for all of its Messenger users.
Signal App — Security Beyond End-to-end Encryption
However, end-to-end encryption doesn't mean that your tracks are completely clear from spying agencies. It's because Facebook still records and stores metadata on your calls and messages that could reveal some of your personal information including dates and durations of communication, and the participants' phone numbers.
On demand of law enforcement, this data is handed over to the government whenever needed.
Apple's iMessage app is the most recent example of the event, where it was revealed that the company stores a lot of information about its end-to-end encrypted iMessage, which could reveal your contacts and location, and even shares this data with law enforcement via court orders.
So, if you are more privacy conscious, I'll recommend the open source Signal app which is widely considered the most secure of all other end-to-end encrypted messaging apps because it stores minimum information about its users.
When Open Whisper Systems, who created Signal, received a subpoena earlier this year for details on two of its users, it was able to provide just the dates and times of accounts creation and when they last connected to Signal's servers.
CatchApp system can spy on WhatsApp encrypted communications from a backpack
30.9.2016 securityaffairs Social
The Israeli surveillance firm Wintego is offering for sale the system called CatchApp that is able to hack WhatsApp encrypted communications.
The Israeli surveillance firm Wintego is offering for sale a system that is able to hack WhatsApp encrypted communications from mobile devices within close proximity of a hidden Wi-Fi hacking device in a backpack.
The news has been reported by Forbes that obtained and published brochures of the system called CatchApp. According to the firm, CatchApp is able to intercept the WhatsApp traffic between the app and the WhatsApp server.
“Brochures leaked to FORBES, and published below, revealed a non-public offering from Haifa-based Wintego called CatchApp. It promises an “unprecedented capability” to break through WhatsApp encryption and grab everything from a target’s account.” reported Forbes.
“in theory the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software’s cryptography.” Forbes.
The Wintego brochure is no older than April 2015, the anonymous source who provided the documents to FORBES confirmed that the product works on the most current versions of WhatsApp.
The CatchApp feature can be delivered from Wintego’s WINT Cyber Data Extractor that fits into a backpack.
In reality, the WINT hacking device is a complete surveillance system that could allow attackers to extract the entire contents of the targets’ mobile device, including email accounts, chat sessions, social network profiles, detailed contact lists, calendars, photos, web browsing activity, files, and much more.
The WINT Cyber Data Extractor is able to overcome “the encryption and security measures of many web accounts and apps” to grab those credentials.
WINT accesses to a device by intercepting WiFi communications, even when they are attached to a private encrypted network. It is able to track multiple devices by using four separate Wi-Fi access points.
Security experts have some doubts about the real capabilities of the CatchApp, they consider impossible to break the end-to-end encryption implemented by the popular messaging system.
The popular expert Jonathan Zdziarski believes the CatchApp tech is exploiting security vulnerabilities in the Secure Sockets Layer (SSL) encryption.
“I suspect they’re taking advantage of a number of vulnerabilities in SSL implementations… many systems are susceptible to downgrade attacks and other types of MITMs.”
The popular cryptography expert Matthew Green hypothesized that CatchApp is malware designed to exploit WiFi connections as the attack vector in order to target WhatsApp, anyway, it cannot break WhatsApp cryptography.
“They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.” Matthew Green told FORBES.
“I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar.”
“But the WhatsApp stuff manifestly should not be vulnerable like that. Interesting.”
Wintego is only one of the numerous highly-secretive surveillance firms that sell solutions that could be used to spy on victims, but that in the wrong hands could represent a serious threat for netizens.
Germany Bans Facebook From Collecting WhatsApp Data
27.9.2016 thehackernews Social
Just last month, the most popular messaging app WhatsApp updated its privacy policy and T&Cs to start sharing its user data with its parent company, and now both the companies are in trouble, at least in Germany and India.
Both Facebook, as well as WhatsApp, have been told to immediately stop collecting and storing data on roughly 35 Million WhatsApp users in Germany.
The Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar even ordered Facebook on Tuesday to delete all data that has already been forwarded to WhatsApp since August.
Also in India, the Delhi High Court on September 23 ordered WhatsApp to delete all users’ data from its servers up until September 25 when the company’s new privacy policy came into effect.
When Facebook first acquired WhatsApp for $19 billion in cash in 2014, WhatsApp made a promise that its users’ data would not be shared between both companies.
But now apparently this has changed, which, according to Caspar, is not only "misleading" for their users and public, but also "constitutes an infringement of national data protection law" in Germany.
"Such an exchange is only admissible if both companies, the one that provides the data (WhatsApp) as well as the receiving company (Facebook) have established a legal basis for doing so." the press release [PDF] from the Commission reads.
"Facebook, however, neither has obtained an effective approval from the WhatsApp users nor does a legal basis for the data reception exist."
Apparently, the new measure was taken by the companies in favor of more targeted advertising on the largest social network and to fight spam.
In response to the privacy watchdog’s decision, Facebook released a statement that it complied with EU data protection law, saying: "We are open to working with the Hamburg DPA in an effort to address their questions and resolve any concerns."
According to the watchdog, since Facebook and WhatsApp are independent companies, they should process their users' data based on their own terms and conditions as well as data privacy policies.
However, WhatsApp users need not to worry about the content of their WhatsApp messages, like chats and images, as they are end-to-end encrypted, which means even the company cannot read them.
Hacking wannabe hackers: watch out Facebook Hacker Tools!
12.9.2016 securityaffairs Social
Everyone is a potential victim, even the wannabe hackers that try to exploit Facebook Hacker Tools to hack into friends’ accounts.
When dealing with cybercrime everyone, is a potential victim, even the hackers, this is the case of a Crimeware-as-a-Service hack that turns wannabe crooks into victims.
For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that promise to allow it without specific knowledge.
Crooks are using Google Drive to host a new Facebook Hacker Tools that allows attackers to steal credentials from potential hackers who try to hack other users’ accounts on the Facebook social network.
Experts from the firm Blue Coat Elastica Cloud Threat Labs (BCECTL), now owned by Symantec, have discovered several versions of the Facebook Hacker Tools, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker.
“When they deploy this CaaS service, it becomes very easy for users to conduct cyberattacks,” said BCECTL director Aditya Sood.
The way the Facebook Hacker Tools work is very simple, typically they will ask the wannabe hacker that uses the tool to provide the Facebook profile ID of his victim. Then it displays some fake error messages and asks the user to provide an activation code to hack into the profile.
Experts at BCECTL discovered similar attacks by analyzing the files hosted on Google Drive. Links to several Facebook Hacker tools were being actively distributed and shared on Google Drive.
“It’s hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment,” Sood said. “We haven’t checked on other cloud services or standard domains.” added Sood.
Hackers abuse the web publishing functionality included in cloud services like Google Drive. One of the tools used by the crooks allows an attacker to send to the wannabe hacker a Google Drive link that takes them to a “Facebook Friend’s Account Hacker” document. Of course, the wannabe hacker that intends to hack his friend’s account needs to provide his Facebook login credentials.
Once the wannabe hacker has provided his credentials they are sent back to the operator behind the scam.
Stolen credentials could be offered for sale in the underground market or used for a wide range of illegal activities.
Such kind of attacks is particularly insidious for enterprise, the credentials of their employees could be exposed allowing attackers to access company resources. Attackers can target business users stealing their credentials and launch more sophisticated attacks in the future.
Let’s think for example of the possibility to steal login credentials of an employee that works as system administrators or that manage sensitive financial data of the company.
A growing number of companies are passing to cloud services, for this reason, it is essential to carefully evaluate the risks of exposure to such kind of attack linked to the use of social media.
“We are living in a world where these social networks have become part and parcel of our lives,” Sood explained. “Cybercriminals can abuse this information and other tools, and sell that access to users.”
In order to prevent such kind of attacks, it is essential to adopt a proper security posture promoting awareness inside the companies.
It is important to educate employees in a correct and safe use of social media even in the workspace.
Another important aspect to consider is the incident response, one such kind of attacks against an employee is discovered.
The adoption of cloud security solution could also help to mitigate the risk of attacks.
Hey, Music Lovers! Last.Fm Hack Leaks 43 Million Account Passwords
2.9.2016 THEHACKERNEWS Social
Another Day, Another Data Breach!
If you love to listen to music online and have an account on Last.fm website, your account details may have compromised in a data breach that leaked more than 43 Million user personal data online.
Last.fm was hacked in March of 2012 and three months after the breach, London-based music streaming service admitted to the incident and issued a warning, encouraging its users to change their passwords.
But now it turns out that the Last.fm data breach was massive, and four years later the stolen data have surfaced in the public.
The copy of the hacked database obtained by the data breach indexing website LeakedSource contained 43,570,999 user records that were originally stolen from Last.fm on March 22, 2012, according to timestamps in the database.
The leaked records include usernames, hashed passwords, email addresses, the date when a user signed up to the website, and ad-related data.
Wait! Have you visited The Hacker News early this week? We reported about the Dropbox massive data breach that had also occurred in 2012, which let hackers get their hands on online cloud storage accounts of more than 68 Million users.
People Are Still So Bad At Picking Passwords
But what makes the Last.fm hack much worse is the weak security measures the website used to store its users’ passwords.
Lat.fm stored its users’ passwords using MD5 hashing – which has been considered outdated even before 2012 – and that too without any Salt, a random string added to strengthen encrypted passwords that make it more difficult for hackers to crack them.
LeakedSource says it took them just 2 hours to crack 96% of all the passwords included in the Last.fm data dump, which is possible due to the use of an unsalted MD5 hashing system to store passwords.
"This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords," LeakedSource said in its blog post. adding that it recently significantly invested in its own "password cracking capabilities for the benefit of our users."
And guess what? Last.fm's analysis of the password reveals that the most popular passwords users kept securing their accounts were extremely weak.
255,319 people used the phrase 123456
92,652 used 'password' as password
Almost 67,000 used 'lastfm'
Around 64,000 used 123456789
46,000 used 'qwerty'
Almost 36,000 used 'abc123'
LeakedSource added the data into its database; so if you have a Last.fm account, you can check if it has been compromised by searching your data at Leaked Source’s search engine.
Last.fm is the latest to join the list of "Mega-Breaches," that revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were sold on the Dark Web.
The takeaway:
Change your passwords for Last.fm account as well as other online accounts immediately, especially if you are using the same password for multiple sites.
Moreover, make use of a good password manager to create complex passwords for different websites and remember them.
We have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.
Brazil Freezes $11.7 Million of Facebook Funds for Not Complying with Court Orders
1.8.2016 Thehackernews.com Social
Facebook's legal war with Brazilian government seems to be never-ending.
Facebook-owned cross-platform messaging service WhatsApp has already been blocked a total of three times in Brazil since December for failing to comply with a court order asking the company to access WhatsApp data under criminal investigation.
But, now the Brazilian government has taken an even tougher step.
On Wednesday, the public federal prosecutor in the Brazilian state of Amazonas said the court froze 38 Million real (US $11.7 Million) of funds held in Facebook's bank account, Reuters reports.
The prosecutor has said that the decision to freeze Facebook funds was made after the social media giant failed to comply with the court order to hand over data of WhatsApp users who are under criminal investigation.
Since WhatsApp communications are end-to-end encrypted, even the company would not be able to access any message exchanged between users.
Facebook representatives weren't immediately available for comment on the recent decision by the Brazilian court.
Previously, when WhatsApp was blackout in Brazil, a WhatsApp spokesman said in a statement:
"In recent months, people from all across Brazil have rejected judicial blocks of services like WhatsApp. Indiscriminate steps like these threaten people's ability to communicate, to run their businesses, and to live their lives. As we have said in the past, we cannot share information we don't have access to."
The court case between the Brazilian government and Facebook has been long-running now.
The court has previously banned WhatsApp for three days, but the most recent ban came last week when Brazillian judge Daniela Barbosa ordered the telecom operators to shut down WhatsApp nationwide. But a few hours later, Brazil’s supreme court suspended the ruling.
In March, Judge Marcel Maia Montalvão of Sergipe state ordered the incarceration of a Facebook executive for not turning over data from a WhatsApp account tied to a drug-trafficking investigation.
Facebook Vice President Diego Jorge Dzodan was arrested on his way to work in São Paulo and jailed, but subsequently released the next day.
Facebook Sued for illegally Scanning Users' Private Messages
20.5.2016 Social
Facebook is in trouble once again regarding its users' privacy.
Facebook is facing a class-action lawsuit in Northern California over allegations that the company systematically scans its users' private messages on the social network without their consent and makes the profit by sharing the data with advertisers and marketers.
According to the lawsuit filing, Facebook might have violated federal privacy laws by scanning users' private messages.
Facebook routinely scans the URLs within users' private messages for several purposes like anti-malware protection and industry-standard searches for child pornography, but it has been claimed that the company is also using this data for advertising and other user-targeting services.
Also Read: Google to Face a Record $3.4 Billion AntiTrust Fine in Europe
The plaintiffs, Matthew Campbell, and Michael Hurley argue that the Facebook is scanning and collecting URLs-related data in a searchable form, violating both the Electronic Communications Privacy Act and California Invasion of Privacy Act, reported the Verge.
Facebook argues that the company scans users' private messages in bulk, and maintains the URL records in an anonymized way, which is only used in aggregate form.
However, according to a technical analysis done on behalf of the plaintiffs, each URL-related message is stored in "Titan," a private message database that displays the date and time the message was sent, along with the user IDs of both the sender and the recipient.
However, it turns out that Facebook used this practice in past, but the company claimed to have stopped such practices a long time ago.
"We agree with the court's finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis," a Facebook spokesperson told CNET.
"The remaining claims relate to historical practices that are entirely lawful, and we look forward to resolving those claims on the merits."
However according to the plaintiffs, Facebook is still continuing to collect links from users' private messages.
"Facebook's source code not only reveals that Facebook continues to acquire URL content from private messages, but that it also continues to make use of the content it acquires."
Meanwhile, you can check out the lawsuit here. The lawsuit was originally filed in 2012 and for now, the case is expected to proceed.
Plaintiffs have until June 8 to file an amended complaint, following a scheduled conference toward the end of the month.
This App Lets You Find Anyone's Social Profile Just By Taking Their Photo
19.5.2016 Social Site
Is Google or Facebook evil? Forget it!
Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.
FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.
The FindFace app was launched two months ago on Google Play and Apple’s App Store and currently has 500,000 registered users and processed nearly 3 Million searches, according to its co-founders, 26-year-old Artem Kukharenko, and 29-year-old Alexander Kabakov.
According to The Guardian, FindFace uses image recognition technology to compare faces against profile pictures on Vkontakte, a very popular social networking site in Russia that has over 200 Million users.
Besides showing the social media account of the one you are searching for, FindFace also shows you social media accounts of people who look very much like the person in the photograph.
"It also looks for similar people," Kabakov told The Guardian. "So you could just upload a photo of a movie star you like or your ex, and then find ten girls who look similar to her and send them messages."
Although many people may find the app useful, possibly girls who do not want pervs to contact them and harass them would definitely find this app as a stalking tool.
FindFace has marketed itself as a dating app, but its founders hope to make big money from licensing its algorithm to retail companies and law enforcement, claiming their algorithm can search through a Billion photographs in a matter of seconds on a normal computer.
They said that Russian police had already contacted them about using their facial recognition technology.
Just after the launch of this app, Security firm Kaspersky also tested the FindFace's algorithm in April and found that the app works as accurate as it claims to.
When the security company uploaded posed photographs, the app correctly identified people 90 percent of the time, although when it uploaded photos taken sneakily in public, accuracy decreased.
Are you finding the whole thing a bit scary?
This is the entirely new world of technology and gadgets where nothing is hidden; nobody is anonymous.
So, the app leaves just two option for you: Either wear something on your face to trick the camera, like wearing a hoodie, mask, glasses, while roaming on a street, or you better get used to having no privacy in your new society.
Kaspersky also advised Vkontakte users to make their pictures private and delete old photos from the profile pictures album, if they do not want to be identified by strangers.
117 Million LinkedIn credentials offered for sale
18.5.2016 Social Site
A hacker who goes by the name “Peace,” is offering 117 million LinkedIn credentials for 5 bitcoin, the precious data come from the 2012 hack.
According to Motherboard, a hacker who goes by the name “Peace,” is offering personal details of 117 million LinkedIn users for 5 bitcoin (around $2,200). The hacker is offering the data in the popular black marketplace The Real Deal, he confirmed to Motherboard that data results from the data breach suffered by LinkedIn in 2012.
LinkedIn credentials and Stolen Data
Following the hack, around 6.5 million encrypted passwords were leaked online, but clearly the incident has a greter magnitude.
“LinkedIn.com was hacked in June 2012 and a copy of data for 167,370,910 accounts has been obtained by LeakedSource which contained emails only and passwords. You can search the hacked LinkedIn.com database and many others on our main site. If you are in this database, contact us and we will remove you from our copy for free.” states LeakedSource who analyzed the archive that includes 167 million accounts, on them roughly 117 million have both emails and encrypted passwords.
According to LeakedSource, the precious archive was kept by a Russian hacker crew.
LeakedSource confirmed that the passwords were hashed with the SHA1 algorithm, with no “salt.”
“One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours.” reported Lorenzo Bicchierai from Motherboard.
Giving a look to the top passwords in the LinkedIn credentials included in the archive we can notice that the top 5 are:
1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
Every other comment is superfluous … shall we?
Of course, all the users that are still using the same credentials included in the archive are at risk and urge to change it as soon as possible.
Facebook Open Sources its Capture the Flag (CTF) Platform
11.5.2016 Social Site
Hacking into computer, networks and websites could easily land you in jail. But what if you could freely test and practice your hacking skills in a legally safe environment?
Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practices.
Capture the Flag hacking competitions are conducted at various cyber security events and conferences, including Def Con, in order to highlight the real-world exploits and cyber attacks.
The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised.
Facebook CTF Video Demo:
Since 2013, Facebook has itself hosted CTF competitions at events across the world and now, it is opening the platform to masses by releasing its source code on GitHub.
"We built a free platform for everyone to use that takes care of the backend requirements of running a CTF, including the game map, team registration, and scoring," said Gulshan Singh, Software Engineer at Facebook Threat Infrastructure.
In general, Capture The Flag competition hosts a series of security challenges, where participants have to hack into defined targets and then defending them from other skilled hackers.
"The current set of challenges include problems in reverse-engineering, forensics, web application security, cryptography, and binary exploitation. You can also build your own challenges to use with the Facebook platform for a customized competition," Mr. Singh said.
Many institutions and organizations now have realized that gamification of cyber security and hacking is beyond the traditional ways to train your mental muscles and keep sharp your skills that otherwise only come up when doomsday scenarios happen.
Facebook passes the 1 million Tor users Milestone
24.4.2016 Social Site
Facebook announced that the number of its users accessing through the Tor network has passed 1 million. The number is calculated over a period of 30 days.
Facebook has announced Friday that it has passed 1 million Tor users. As announced in a blog post, the number is calculated over a period of 30 days.
“Over this period the number of people who access Facebook over Tor has increased. In June 2015, over a typical 30 day period, about 525,000 people would access Facebook over Tor e.g.: by using Tor Browser to access www.facebook.com or the Facebook Onion site, or by using Orbot on Android. This number has grown – roughly linearly – and this month, for the first time, we saw this “30 day” figure exceed 1 million people. ” states Facebook.
The number of privacy conscious Facebook users accessing the social media giant’s onion site (https://www.facebookcorewwwi.onion/) has increased from 525,000 people in June 2015 to over 1,000,000 in the last 30 days.
TOR is a free software allowing Internet users to anonymyze their online activity. We have seen a constant increase in the number of Tor users in the last years, possibly due to increasing awareness on issues related to privacy on the Internet. Facebook has also introduced Tor support for its Android application earlier this year.
While debates on privacy and encryption continue, we observe an increase in the number of social sharing and messaging platforms that improve their encryption and anonymity features. The popular messaging platform Whatsapp has implemented end-to-end encryption earlier this month.
Written by: Alper Baºaran
About the Author: Alper Baºaran is a Hacker and Penetration Tester – Buccaneer of the Interwebs, he owns the Turkish blog alperbasaran.com.
Alper Basaran provides business process focused and goal oriented penetration testing services to his customers. Based in Turkey he has expanded his operations to the Middle East.
More than 1 million People now access Facebook Over Tor Network
23.4.2016 Social Site
Facebook has hit another Milestone: More than 1 MILLION people, or you can say privacy conscious, are accessing Facebook over TOR.
Facebook proudly announced today that, this month, for the first time, the people connected to the anonymous version of Facebook that's accessible only through the TOR anonymity network exceeded 1 Million – an increase of almost 100% in the past ten months.
Today, when global surveillance system continues to grow, encryption has the power to protect users’ security and privacy online. And it is ultimately a good thing that companies like Facebook are competing on users’ security.
In 2014, Facebook launched a special version of its website that runs only with the help of Tor anonymity software that offers privacy to users.
Tor anonymity software or Tor browser secures and encrypts connections to prevent cyber criminals or law enforcement agencies from tracking users’ web activity.
Tor users can visit Facebook's Tor hidden service via a special .Onion address: https://facebookcorewwwi.onion/
"In June 2015, over a typical 30 day period, about 525,000 people would access Facebook over Tor," says Alec Muffett, Software Engineer at Facebook.
"This number has grown – roughly linearly – and this month, for the first time, we saw this “30 days” figure exceed 1 million people."
Moreover, in January this year, Facebook added built-in Tor support for its Android app, allowing hundreds of millions of mobile users to maintain their online privacy when visiting Facebook.
“This growth is a reflection of the choices that people make to use Facebook over Tor, and the value that it provides them. We hope they will continue to provide feedback and help us keep improving.” Alec says.
Beyond Tor software and Facebook hidden service, you are also advised to adopt secure email services and privacy-enhanced mobile apps to protect yourself online, if you are privacy conscious.
Recently, Whatsapp and Viber, two popular mobile messaging services also joined the encryption party by turning ON end-to-end encryption by default for their over Billion of users.
Hacker Installed a Secret Backdoor On Facebook Server to Steal Passwords
23.4.2016 Social Site
How to Hack Facebook?
That’s the most commonly asked question during this decade.
It’s a hacker dream to hack Facebook website for earning bug bounty or for any malicious purpose.
Facebook security team recently found that someone, probably a blackhat hacker with malicious intent, has breached into its server and installed a backdoor that was configured to steal Facebook employees' login credentials.
Since the backdoor discovered in the Facebook’s corporate server, not on its main server, Facebook user accounts are not affected by this incident.
Though the company would have never known about the backdoor if a whitehat hacker had never spotted the backdoor script while hunting for vulnerabilities.
Also Read: Ever Wondered How Facebook Decides, How much Bounty Should be Paid?
Security researcher Orange Tsai of Taiwanese security vendor DEVCORE accidentally came across a backdoor script on one of Facebook’s corporate servers while finding bugs to earn cash reward from Facebook.
Tsai scanned Facebook's IP address space that led him to the files.fb.com domain that was hosting a vulnerable version of the Secure File Transfer application (FTA) made by Accellion and was used by Facebook employees for file sharing and collaboration.
Tsai analyzed the vulnerable FTA and discovered seven security flaws as he explained in his blog post:
3 Cross-site scripting (XSS) flaws,
2 Remote code execution flaws,
2 Local privilege escalation issues.
facebook-server
facebook-server
The researcher then used the vulnerabilities he found in the Accellion Secure FTA and gained access to Facebook's server.
After successfully achieving his goal, Tsai started analyzing logs information available on the Facebook’s server for preparing his bug report, and that is exactly when he spotted a PHP-based backdoor, popularly known as a PHP Web shell, that had possibly been installed on the server by a malicious hacker.
Tsai then reported all of his findings to the Facebook security team, which rewarded him with $10,000 (€8,850) for his efforts and started its own forensics investigation that was completed this month, allowing the researcher to disclose the vulnerabilities responsibly.
Facebook's latest feature Alerts You if Someone Impersonates Your Profile
26.3.2016 Social Site
Online harassment has been elevated a step with the advent of popular social networks like Facebook.
Cyber stalkers create fake profiles impersonating other Facebook users and start doing activities on their behalf until and unless the owners notice the fake profiles and manually report it to Facebook.
Even in some cases, cyber stalkers block the Facebook account holders whom they impersonate in order to carry out mischievous tasks through fake profiles without being detected by the actual account holders.
But now, online criminals can no longer fool anyone with impersonation method, as Facebook is currently working on a feature that automatically informs its 1.6 Billion user base about the cloned accounts.
If the company detects a duplicate Facebook account of a user, it will automatically send an alert to the original account holder, who'll be prompted to identify if the profile in question is indeed a fake profile impersonating you or if it actually belongs to someone else.
How would Facebook identify the Clone Profiles?
The new feature would reportedly inform Facebook users about their cloned accounts when it finds a perfect match of both profile pictures and profile names.
However, it seems like Facebook would use its one of the world's best face recognition technologies to identify users' fake profiles.
While uploading a group pic of you with your friends, you might have noticed how Facebook automatically detects your friend's face and suggests the correct names without manually feeding into it.
This face recognition technology could be utilized by Facebook's new feature that eliminates the chance of profile duplication and ends up the doppelganger business.
Here you might be thinking that if 2 accounts are made identical, then how would Facebook identify the legit user? Right?
This difference would be decided by Facebook's core security team by analyzing and comparing the user's activities and date of account creation.
But one question still remains in my head:
If Facebook identifies the difference on the basis of account creation, then What if someone creates a fake profile of a user, who hasn't joined the network yet?
Okay, if Facebook cannot stop this, as the company can not compare the fake user to the original user, who doesn’t exist on its platform.
But what if the user joins the network later? Then in this case, Facebook would notify to whom? The stalker who owns the fake profile, as it was created first?
I have already reached out to Facebook for a comment and will update the article as soon as I get to hear from it.
Why is Impersonation Dangerous?
According to the Facebook Head of Global Safety Antigone Davis, impersonation is a source of harassment, particularly for women, on the social media platform, despite Facebook's longstanding policy against it.
"We heard feedback [before] the roundtables and also at the roundtables that this was a point of concern for women," Davis told Mashable. "It's a real point of concern for some women in certain regions of the world where [impersonation] may have certain cultural or social ramifications."
We have seen a plethora of impersonation examples spanning around the Facebook case studies.
the Impersonation is a tool in the sextortionist's bag.
Threatening to use women's photos to associate them with prostitution was one trick used by Michael C. Ford, the former US Embassy worker who was sentenced to nearly 5 years in jail after pleading guilty to sextorting, phishing, breaking into email accounts, stealing explicit images and cyberstalking hundreds of women around the world.
Facebook's new security measure would also give a degree of trust to women who are stepping back to upload their real images on the platform due to the fear of impersonation.
Facebook has already introduced this new feature to 75% of the World, including India, Brazil, some South American countries and South East Asian zones, where the usage of the social network is prevalent. The feature will be rolled out in November for the rest of the world.
Features Yet to Release!
Parallely, Facebook is also working on similar two technologies which report non-consensual intimate images and a Photo Checkup feature.
Non-consensual intimate images reporting facilitates the user to report any nudity in the Facebook and additionally it also avails the option to identify themselves as the subject of the photo (if so).
The Photo Checkup feature is similar to Facebook's Privacy Dinosaur, which helped users check their privacy settings such as profile info, status info and which apps have the access to the accounts in a single popup window.
Likewise, Photo Checkup is exclusively dedicated to figuring out: Who can view your photos and who cannot!
Facebook is rolling out many security-centric features, which bolsters the security and privacy of User Information in the virtual world.
Sign-Up Here for our daily digest of top articles and be the first to know Trending Stories.
Ever Wondered How Facebook Decides — How much Bounty Should be Paid?
18.3.2016 Social Site
Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program.
Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others.
Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid.
"India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes.
If you are one of the Facebook’s bug hunters, you might be aware of the fact that reporting same type of flaw (say, Cross-site Scripting or XSS) in Facebook would not make one eligible for the same bounty.
Do you ever wondered why? And How Facebook decides the Bounty amount?
Well, the procedure exactly works in the same way The Hacker News team decides which news to be covered first and which is not at all i.e. based on the risks to the end-users.
Recently, Facebook’s bug bounty team explained how they calculate bounties.
How Facebook Calculates Bug Bounties?
Facebook calculates bounties, of course, based on Risk to end-users. The company offers a maximum reward of USD$20,000 and a minimum of USD$500.
The bugs that allow someone to access private Facebook data, delete Facebook data, modify an account and run JavaScript under facebook.com are considered as high-impact vulnerabilities that directly affects end users, so are maximum paid bugs.
"The security community in India is strong and growing every day," Facebook says. "India has long topped the list of 127 countries whose researchers contribute to our bug bounty program."
Here’s the Procedure Facebook Security team follows:
Step 1: The Facebook Bug Bounty team first looks at the potential impact of a vulnerability reported.
Step 2: Engineers at Facebook then calculates the difficulty or easiness of exploiting a particular vulnerability, whether it’s high-severity, as well as the kind of resources or technical skills a successful attack would require.
Step 3: The team then looks at whether any existing features can already mitigate the issue, for example, an implementation of rate-limiting mechanism to prevent brute-force attacks.
Step 4: Sometimes bug hunters report bugs that are actually Facebook features designed to provide users a better experience on the social media platform. These reports are less considered as eligible until they pose any threat.
Based upon the aforementioned steps, Facebook decides a base payout for each eligible vulnerability report.
The bounty amount can change as the risk landscape evolves, like a bug that leads to more bugs get bigger payouts.
The team also reserves an option to award security researchers and white hat hackers more than the base amount if the report itself demonstrates a high level of clarity, sophistication, and detail.
Example — Bug Bounties Paid by Facebook
facebook-bug
Earlier this month, Anand Prakash, 22, of India was awarded $15,000 (roughly Rs. 10 Lakhs) for reporting a Password Reset Vulnerability that could allow attackers to hack any Facebook account by resetting its password via endless brute force of a 6-digit code.
Have you ever wish to delete any photo from Facebook that you didn't like but posted by someone else? Believe me — It was possible, but until last year, when two independent India security researchers reported two separate vulnerabilities to Facebook and awarded $12,500 each.
Do you know what’s the highest bug bounty ever paid by Facebook? That’s $33,500 to a Brazilian hacker who managed to hack into the Facebook server using a remote-code execution vulnerability.
There was another interesting bug in Facebook that received the highest attention, but no bounty was paid.
Yes, I am talking about Palestinian Hacker, 'Khalil Shreateh', who posted vulnerability details on Facebook CEO Mark Zuckerberg’s wall to prove his point, after Facebook Security Team failed to recognize his critical vulnerability thrice.
Unfortunately, Khalil did not receive any bounty for not following the disclosure guidelines correctly and failed to clarify the vulnerability details to Facebook Security Team.
Do you want to know how to earn high bounties? Find and Report high-severity bugs.
"The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact," Facebook says. "So, if you're looking to maximize your bounties, focus on quality over quantity."
Bug Bounty programs have widely been used by a large number of prominent technology companies including Google, Facebook and PayPal, for which Bug hunters play a vital role in security their users’ online accounts.
Bug bounties and disclosure programs encourage researchers and hackers to report responsibly vulnerabilities to the affected companies rather than exploiting them to compromise its users’ security, which may also affect company's reputation.
Hacker Reveals How to Hack Any Facebook Account
8.3.2016 Hacking Social Site
how-to-hack-facebook-account
Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find the way to hack into someone Facebook account, but a Facebook user just did it.
A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Video Demonstration
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Here's the culprit:
As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.
Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.
Expert discovered how to hack any Facebook account
8.3.2016 Social Site Hacking
A security researcher has discovered a Facebook password reset vulnerability that allowed him to brute force into any FB account.
The security researcher Anand Prakash has discovered a password reset vulnerability affecting Facebook. The critical vulnerability could be exploited by attackers to hack into any FB account launching a brute force attack.
“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.” wrote the researcher in a blog post.
The critical flaw resides in the way Facebook’s beta pages handle “Forgot Password” requests. When a user forgets the password, Facebook allows him to get back into your FB account through the ‘Forgot Password’ procedure. Facebook sends a 6 digit code on a user’s phone number or email address. After you enter this code in the window, you are able to access your FB account and reset your password.
The user then submits the code to access his FB account and reset the password.
Prakash tried to find security holes in the Facebook’s Forgot Password procedure. He tried to brute force the 6 digit code in the ‘Forgot Password’ window, he discovered that it is possible to make just 12 attempts before being locked out.
Prakash tried to perform the same operation on the Facebook beta pages, beta.facebook.com and mbasic.beta.facebook.com. He then discovered that there is no limit on the number of attempts for these two Facebook beta pages. The absence of a limitation, allowed the researcher to launch a brute force attack into any Facebook account.
The vulnerable request illustrated by the researcher is:
POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the “n” successfully allowed Prakash to set a new password for any Facebook user.
Prakash reported the vulnerability to Facebook on February 22, 2016, the security team acknowledged the flaw and deployed a fix on February 23.
Facebook awarded Prakash a bug bounty of $15,000, below the Video PoC published by the expert:
Facebook's Vice President Arrested in Brazil for Refusing to Share WhatsApp Data
2.3.2016 Social Site
Apple is not the only technology giant battling against authorities over a court order; Facebook is also facing the same.
Brazil’s federal police arrested Facebook Latin America Vice President for failing to comply with court orders to help investigators in a drug trafficking case that involves WhatsApp, a popular messaging app owned by Facebook that has over 100 Million users in Brazil.
Facebook VP Diego Jorge Dzodan was arrested on his way to work in São Paulo, Brazil today because the company refused to provide details of a WhatsApp user involved in organized crime and drug trafficking.
Dzodan is still in police custody and is responding to police questioning in Sao Paulo, Local media reported.
According to a statement released by a spokesperson from WhatsApp:
"We are disappointed that law enforcement took this extreme step. WhatsApp cannot provide information we do not have. We cooperated to the full extent of our ability in this case, and while we respect the important job of law enforcement, we strongly disagree with its decision."
In December 2015, the Brazilian court blocked WhatsApp messaging service temporarily for 24 hours in Brazil, after the company refused to hand over the content of communications between alleged drug dealers involved in the drug trafficking case.
...and the refusal now resulted in the arrest of Facebook VP.
At the time of WhatsApp blackout in Brazil, Facebook’s Chief Executive Officer Mark Zuckerberg said that he was stunned by the "extreme decision by a single judge to punish every person in Brazil who uses WhatsApp."
Today’s arrest of Facebook VP comes as a New York judge ruled that the United States government have no right to force Apple to unlock an iPhone involved in a drug case.
Apple is also fighting a legal battle against a court order that demands the company to help the FBI unlock an iPhone 5C belonging to the one of the shooters involved in the San Bernardino massacre.
Here's the Facebook Hacking Tool that Can Really Hack Accounts, But...
9.2.2016 Social Site
Yes, you heard me right.
A newly discovered Facebook hacking tool actually has the capability to hack Facebook account, but YOURS, and not the one you desires to hack.
How to Hack Facebook account? How to Hack my Girlfriends Facebook account? My boyfriend is cheating on me, How do I hack his Facebook Account?
These are the queries that most of the Internet users search on Google.
But Beware! If you come across any Facebook hacking tool that promises you to help you hack your friends Facebook accounts, you may end up downloading a hacking tool that could hack you, instead of them.
Facebook Hacking Tool that Can Really Hack, But Your Accounts
Facebook Hacking Tool
Dubbed Remtasu, the tool is marketing itself as a Facebook hacking tool but actually is a Windows-based Trojan that has accelerated globally over the past year, and has now capability to disguise itself as an app for accessing people's Facebook account credentials.
The tool contains a Keylogger that can capture all your keystrokes and store them in a file that is subsequently sent to the attacker's server.
The malicious Facebook hacking tool is exploiting "the constant desire of a lot of users to take control of accounts from this well-known social network," according to a Monday blog post by IT security company ESET.
How Remtasu Works:
The malicious tool is delivered via direct download websites.
Once a user visits one of these websites, the dangerous Win32/Remtasu.Y malware automatically gets downloaded and executed on victim's machine and hide itself among other files.
Remtasu has capability to:
Open and obtain information from the clipboard.
Capture keystrokes.
Store all the data in a file which is subsequently sent to an FTP server.
The worst part is yet to come:
The malware remains on the infected computer even when the victim reboots their system or attempts to find the malware threat in the list of active processes.
"In this case, the malware replicates itself, saving the copy in a folder that it also creates within the system32 folder," reads the post. "The new InstallDir folder remains hidden inside the system files, making it difficult for users to access."
Most affected parts of the world include Colombia, Turkey, Thailand and elsewhere. In past, Remtasu was distributed through malicious files attached to phishing emails purporting to be from legitimate government or businesses organisations.
Breaking — India Bans Facebook's Free Basics Service
8.2.2016 Social Site
Facebook's Free Basics Internet service has been Blocked in India.
The Telecom Regulatory Authority of India (TRAI) has banned mobile carriers and broadband providers to charge customers based on what services or content they access over the Internet.
Under Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016, "no service provider shall offer or charge discriminatory tariffs for data services on the basis of content."
With this, Facebook's Free Basics is dead in India.
All Zero-Rated Internet Services are BLOCKED!
It is not just Facebook's Free Basics Internet program that has been blocked inside the country, but also the zero-rated internet services altogether.
Zero-rated internet services means those services that allow people access to some websites and web services without utilizing any of their mobile data allowance. Under the new regulation, no such services are now allowed.
Free Basics (previously known by Internet.org) is a Facebook's service that offers people access to more than three dozen Web services hosted on its platform at free of cost.
Subscribers of Free Basics app must have a Reliance mobile network on their phone and are limited to a range of portals including Wikipedia, BBC News, AccuWeather, Bing, and various health websites, and of course, Facebook and Facebook Messenger.
Free Basics Vs. Net Neutrality
Since its launch, Free Basics has been a controversial subject in the country and violated Net Neutrality principles.
Net Neutrality advocates argued that by offering some websites and services for free, people are discouraged from visiting other sites. Facebook's Free Basics offers a huge advantage to the sites and services it includes.
For example, if the Free Basics includes Facebook Messenger to access for free, any other instant messaging app wouldn't be able to upsurge in this competitive market, and this is nothing but the violation of Net Neutrality.
The Telecom regulator had previously ordered Reliance Communications to temporary suspend Free Basics until the regulatory had come to a decision regarding the implementation of rules on differential data tariffs.
Facebook has been contacted for comment on the new regulation in India, which is the second populous country in the world. We'll update this article when we hear Facebook's response.