FBConTroller v2.0 was released late yesterday. As the author clearly states, FBController does not, nor can it, hack into a Facebook account. What it CAN do though is to control a Facebook account (write on one’s own wall, others wall, retrieve profile page, retrieve friends list and even attempts to retrieve inbox and send messages) without having to have the password for the account. Instead of the password, it simply needs the Facebook cookie values for an account. As we discussed in my #heweb presentation, once you identify a Cross-Site Scripting (XSS) vulnerability, it is simple a matter to capture a victim’s cookies. As theharmonyguy pointed out last month in his Month of Facebook Bugs, a huge number (9700) of facebook applications are riddled with security holes, with XSS being the most common.
Armed with the list of vulnerable facebook applications, and FBConTroller, an attacker can potentially harvest a huge number of facebook cookies. From there s/he could spam the accounts users/friends, sending them links to other compromised sites or to download malware. If you are an admin of your University’s facebook page/group, be very paranoid about which facebook applications you use, or simply don’t use any at all.
Photo by Aaron Landry