Tuesday, 4 December 2012

Facebook User Security Hole & How to Secure :)


Facebook User Security Hole


Every Webpage or Application that is designed on the "WEB" has a vulnerability. Whether it is a Yahoo Account or it is the website of "FBI", it might be exploitable! We Can't even tell whether FBI.gov is secured or not. When we talk about the internet, the term "Facebook" also clicks in our head. But Facebook also has a user security hole. Using this vulnerability, an attacker can easily penetrate his victims account. No other social networking website has ever shown this type of anomaly.


How is it done ?

An attacker creates three or four Fake facebook accounts and sends requests
to his victim from all of these. He is already aware of the victims Parent Email Address (The one he used to signup for Facebook). After the victim confirm all his accounts, the attacker logs out and puts his victims email in the "Email" Section. Facebook shows a "Reset my password" option after typing in absurd passwords again and again.






The recovery option then asks the user whether to send his password reset code to his parent email
address or his cell phone number. Along with this, there's an option saying "No longer have access to these?".



Clicking on this option asks the attacker to enter a new Email Address.


In This section, the attacker types his own Email Address and hits the Submit button.Facebook's automated systems first confirm whether this is his own Email Address or not, so they ask him to choose three Close friends who will get the Confirmation code in their Inbox.


These three accounts are actually his fake accounts.





Facebook now shows three boxes asking for the confirmation codes that were sent to his fake accounts.


The attacker now logs in into each account and fetches the codes, pastes it into the boxes and gets access to his victims account.

How can one secure himself from this security hole ?

After reading this Article, you might be thinking "Now what?  
Any one can penetrate my account easily. So what should be done now?". Here are some suggestions to secure yourself :

1) Don't accept anonymous Requests.
2) Set a security question for your account. If someone tries to choose "No longer have access to these?", then Facebook will ask him to answer the security question first.
"This tutorial is Education Purpose only don’t misuse it Trick2do will Not Hold any responsibility"
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)