New Utility Allows You to Control Facebook Accounts Without the Password

By Paul Gilzow - Wed, Oct 21, 2009

General, Security, Social Networks

New Utility Allows You to Control Facebook Accounts Without the Password

FBConTroller v2.0 was released late yesterday.  As the author clearly states, FBController does not, nor can it, hack into a Facebook account.  What it CAN do though is to control a Facebook account (write on one’s own wall, others wall, retrieve profile page, retrieve friends list and even attempts to retrieve inbox and send messages) without having to have the password for the account.  Instead of the password, it simply needs the Facebook cookie values for an account.  As we discussed in my #heweb presentation, once you identify a Cross-Site Scripting (XSS) vulnerability, it is simple a matter to capture a victim’s cookies.  As theharmonyguy pointed out last month in his Month of Facebook Bugs, a huge number (9700) of facebook applications are riddled with security holes, with XSS being the most common.

Armed with the list of vulnerable facebook applications, and FBConTroller, an attacker can potentially harvest a huge number of facebook cookies. From there s/he could spam the accounts users/friends, sending them links to other compromised sites or to download malware.  If you are an admin of your University’s facebook page/group, be very paranoid about which facebook applications you use, or simply don’t use any at all.

cc New Utility Allows You to Control Facebook Accounts Without the PasswordPhoto by Aaron Landry


Tweet
Share StumbleUpon It! Del.icio.us reddit

Like this post? Be sure you've subscribed to the .eduGuru RSS feed or email to get all the latest news and articles.


Read Related Posts on .eduGuru:

  1. Facebook Privacy and Admissions Counselors: Know Your Settings
  2. Security in October: Google Wave, Facebook, XSS
  3. Imposter Twitter Accounts could be Making Money off your University

This post was written by:

Paul Gilzow - who has written 2 posts on .eduGuru


5 Responses to “New Utility Allows You to Control Facebook Accounts Without the Password”

  1. theharmonyguy Says:

    Thanks for the link!

    Slight correction, though: Since Facebook runs all applications on the apps.facebook.com domain, an XSS hole in an application would not allow you to grab the cookies for facebook.com or http://www.facebook.com - at least not in any modern browser I know of.

    Of course, you can send links to other users with an application XSS hole by using the Facebook API.

    Reply

    • theharmonyguy Says:

      Correction to my correction: As Paul pointed out to me via Twitter, an attacker could theoretically change document.domain. But Facebook filters any JavaScript in an application running via apps.facebook.com, so they wouldn’t allow such code via an app XSS hole, and the attack would still fail.

      Reply

  2. theharmonyguy Says:

    Paul corrected me that you could actually change document.domain if you could run pure JavaScript on an apps.facebook.com. But code on that domain is filtered by Facebook, so inserting script that tries to change document.domain would not be rendered.

    So, exploiting an application would still not work, but for a different reason. Thanks for the clarification, Paul.

    Reply

  3. Web Solutions Says:

    It will be really good if works well according to the user needs

    Reply

  4. Sample Resumes Says:

    Oh wow! its amazing. I hope that it ‘ll be a very good function to the users. I don’t know about it. Thanks a lot for sharing such a nice post.

    Reply

Leave a Reply

Spam protection by WP Captcha-Free