New Utility Allows You to Control Facebook Accounts Without the Password

By Paul Gilzow - Wed, Oct 21, 2009-->


General, Security, Social Networks

New Utility Allows You to Control Facebook Accounts Without the Password

FBConTroller v2.0 was released late yesterday.  As the author clearly states, FBController does not, nor can it, hack into a Facebook account.  What it CAN do though is to control a Facebook account (write on one’s own wall, others wall, retrieve profile page, retrieve friends list and even attempts to retrieve inbox and send messages) without having to have the password for the account.  Instead of the password, it simply needs the Facebook cookie values for an account.  As we discussed in my #heweb presentation, once you identify a Cross-Site Scripting (XSS) vulnerability, it is simple a matter to capture a victim’s cookies.  As theharmonyguy pointed out last month in his Month of Facebook Bugs, a huge number (9700) of facebook applications are riddled with security holes, with XSS being the most common.

Armed with the list of vulnerable facebook applications, and FBConTroller, an attacker can potentially harvest a huge number of facebook cookies. From there s/he could spam the accounts users/friends, sending them links to other compromised sites or to download malware.  If you are an admin of your University’s facebook page/group, be very paranoid about which facebook applications you use, or simply don’t use any at all.

cc New Utility Allows You to Control Facebook Accounts Without the PasswordPhoto by Aaron Landry

Share StumbleUpon It! reddit

Like this post? Be sure you've subscribed to the .eduGuru RSS feed or email to get all the latest news and articles.

Read Related Posts on .eduGuru:

  1. Facebook Privacy and Admissions Counselors: Know Your Settings
  2. Security in October: Google Wave, Facebook, XSS
  3. Imposter Twitter Accounts could be Making Money off your University

This post was written by:

Paul Gilzow - who has written 2 posts on .eduGuru

5 Responses to “New Utility Allows You to Control Facebook Accounts Without the Password”

  1. Avatar image
    theharmonyguy Says:

    Thanks for the link!

    Slight correction, though: Since Facebook runs all applications on the domain, an XSS hole in an application would not allow you to grab the cookies for or - at least not in any modern browser I know of.

    Of course, you can send links to other users with an application XSS hole by using the Facebook API.


    • Avatar image
      theharmonyguy Says:

      Correction to my correction: As Paul pointed out to me via Twitter, an attacker could theoretically change document.domain. But Facebook filters any JavaScript in an application running via, so they wouldn’t allow such code via an app XSS hole, and the attack would still fail.


  2. Avatar image
    theharmonyguy Says:

    Paul corrected me that you could actually change document.domain if you could run pure JavaScript on an But code on that domain is filtered by Facebook, so inserting script that tries to change document.domain would not be rendered.

    So, exploiting an application would still not work, but for a different reason. Thanks for the clarification, Paul.


  3. Avatar image
    Web Solutions Says:

    It will be really good if works well according to the user needs


  4. Avatar image
    Sample Resumes Says:

    Oh wow! its amazing. I hope that it ‘ll be a very good function to the users. I don’t know about it. Thanks a lot for sharing such a nice post.


Leave a Reply

Spam protection by WP Captcha-Free