#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Facebook hacking | Breaking Cybersecurity News | The Hacker News

Facebook Open URL Redirection vulnerability

Facebook Open URL Redirection vulnerability

Nov 16, 2013
Security Researcher Dan Melamed discovered an Open URL redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions. An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack . An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user's access token at risk if that link is entered as the final destination in an Oauth dialog . The Facebook Open URL Redirection vulnerability exists at landing.php  page with " url " parameter, i.e. https://facebook.com/campaign/landing.php?url=https://yahoo.com This URL will always redirects user to the Facebook 's homepage, but it is sufficient to manipulate the "url" parameter assigning a random string: https://facebo
Vulnerability in Facebook app allows hackers to steal access tokens and hijack accounts

Vulnerability in Facebook app allows hackers to steal access tokens and hijack accounts

Oct 29, 2013
There are more than 100 Million users who are using Facebook mobile app. Facebook has fixed multiple critical vulnerabilities in its Android based applications that allows hackers to steal access tokens and hijack accounts. Egyptian security researcher Mohamed Ramadan, Security researcher with Attack Secure, has who disclosed  a couple of vulnerabilities in the Facebook Main app and Facebook messenger app and Facebook page's manager application for Android. User's access token is the key to accessing a Facebook account and according to him, an attacker only needs to send a message that contains an attachment of any type, i.e. Videos, documents, and pictures. Once the victim will click on that file to download, immediately victim's access_token will be stored in the Android's log messages called -  logcat ,  that enables other apps to grab user's access token and hijack the account. Video Demonstration: The second flaw which is reported by Ramadan
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Barack Obama's Twitter, Facebook, Campaign website and Email Accounts hacked by Syrian Electronic Army

Barack Obama's Twitter, Facebook, Campaign website and Email Accounts hacked by Syrian Electronic Army

Oct 28, 2013
The pro-Assad group Syrian Electronic Army claims it has hacked the President Barack Obama's website , Twitter-Facebook accounts and access email accounts linked to Organizing For Action, the non-profit offshoot of Obama For America, Obama's 2012 campaign operation. Last night,  Syrian Electronic Army (SEA)  hacked into Obama's donation website donate.barackobama.com , which was temporarily redirected to the website of the hacking group ( sea . sy / indexs / ) with a short message: " Hacked by SEA ". The hackers were able to take over only a secondary donations page. It was an older page - still on the site, but was no longer being used. They have also posted fake tweets and updates from Obama's Facebook Page and Twitter accounts, " All  the  links that Barack Obama account tweeted it and post it on Facebook was redirected to a video showing the truth about Syria " Hacker told Mashable in an interview. The attackers also compromised the URL shorten
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Buffer hacked; Twitter, Facebook flooded with Spam Weight-loss links

Buffer hacked; Twitter, Facebook flooded with Spam Weight-loss links

Oct 27, 2013
If you're a user of the Buffer app, the social-media management service that let you cross-posting to various social networks, be aware that the service got hacked yesterday, with spam messages going out over Facebook.  " Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now. " Buffer team said, in an email sent to users and also posted to Buffer's blog . It's not yet clear how many of Buffer's 1 million or so users were affected by the hack, but buffer maintains that user passwords are safe nor has any "billing or payment information been affected or exposed" . Photo Credit : The Next Web It appears that Buffer's Facebook and Twitter spam messages were first sent at around 2:20 p.m. ET. Hackers have used the exploit to spam user accounts on Facebook, Twitter, Google+, and other sites. Just recently, Instagram saw a viral wa
Facebook Graph Search becomes more powerful than ever, Review your Privacy Settings again

Facebook Graph Search becomes more powerful than ever, Review your Privacy Settings again

Oct 04, 2013
Facebook Graph Search is more powerful than ever, has been updated to allow people to search in greater depth on Facebook.  Facebook expanded its Graph Search to include posts and status updates, which means everything you've been posting is way easier to find than ever before. " Now you will be able to search for status updates, photo captions, check-ins and comments to find things shared with you ," says Facebook . For example, you could enter " Posts by my friends from last month ," or " Posts written at The White House " in order to find that specific information. Facebook's search is increasing in power much faster than people are realizing that their life is being digitally sorted and indexed. As Facebook widens its scope of searchable information, questions about privacy continue to rise. Facebook users should check their privacy settings if they want to limit the people who can search every post or status update they have ev
Hacking Facebook to delete any account; Facebook again refuses to pay Bounty

Hacking Facebook to delete any account; Facebook again refuses to pay Bounty

Sep 05, 2013
In the past few days, Facebook refused to pay bounty to Khalil Shreateh , the security researcher who used the bug he discovered to post directly on Facebook CEO Mark Zuckerberg 's Timeline after Facebook Security rejected his attempts to report it. Ehraz Ahmed, an independent Security Researcher claimed that he reported a critical vulnerability to the Facebook Security team, which allows the attacker to delete any account from Facebook. But Facebook refuses to Pay Bug Bounty , because he tested flaw once on his friend's account, " I reported this bug to Facebook, I'm really not happy with them. After waiting for such a long time for their reply, they denied it saying that you used this bug only works for test accounts, where as I used it for removing real accounts and now the vulnerability is also fixed after their email." he said on his blog . Video Demonstration of Exploit: Vulnerable  URL : https://www.facebook.com/ajax/whitehat/delete_
Vulnerability allowed hacker to Delete any Facebook Photo; Rewarded with $12,500 for reporting bug

Vulnerability allowed hacker to Delete any Facebook Photo; Rewarded with $12,500 for reporting bug

Sep 01, 2013
Indian Security Enthusiast ' Arul Kumar ' recently reported an interesting Facebook vulnerability that allowed him to delete any Facebook image within a minute. Facebook Bug Bounty program rewarded him with  $12,500 USD for helping the Facebook Security team to patch this critical loophole in their own " Support Dashboard ". The flaw is critical because using this exploitation method hacker can also delete Mark Zuckerberg's ( Facebook Founder ) Photos from his Photo Album, or even from wall of any verified page too. Arul posted on his blog, " The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week ." That means, if you will report abuse the targeted image and send a Photo Removal Request, Facebook Server Will automatically generate
Palestinian Hacker posted vulnerability details on Mark Zuckerberg’s Timeline

Palestinian Hacker posted vulnerability details on Mark Zuckerberg's Timeline

Aug 18, 2013
A Palestinian Web Developer and Hacker, ' Khalil Shreateh ' found an interesting  vulnerability in Facebook, that allows hacker to bypass the Privacy settings to make a post on anyone's Timeline / Wall. He was forced to post vulnerability details on Mark Zuckerberg (Facebook Founder) Timeline to prove his point, after the Facebook Security Team failed to recognize his critical vulnerability three times. The flaw even working for those victims, who is not included in the attacker friend list.  According to Facebook's Bug Bounty program, a researcher has to submit the flaw details via email to Facebook Security Team without disclosing the details in Public. In order to get the minimum reward of US$500, the flaw should be valid. The reported vulnerability is in " composer.php " file on Facebook mechanism. First Khalil made a post on the timeline of a girl, " Sarah Gooden " who studied at the same college as Facebook CEO Mark Zuckerbe
Pakistan Army site and Facebook pages compromised by Indian hacker Godzilla

Pakistan Army site and Facebook pages compromised by Indian hacker Godzilla

Aug 09, 2013
Pakistan Army site (pakistanarmy.gov.pk) and Three Facebook pages hacked by an Indian hacker 'Godzilla '. Hacker told ' The Hacker News ' that, using a CMS vulnerability they got access into the Pakistan army website using credentials i.e. Username: mag_admin password: #$%modern! .  Then they left a malicious PDF magazine document in their content management system of magazine portal for the Pakistan army, which was later clicked by the Administrator and that installed a piece of malware on the administrator's computer. " For security they have taken down the login page of content management but failed to remove my backdoor " hacker told The Hacker News. Using an infected system of the Administrator, he has also gained unauthorized access to three Pakistan Army Facebook pages. Pakistan Army Official Facebook Page ( www.facebook.com/OfficialPakArmy ) Pakistan Army Officers Club Facebook Page ( www.facebook.com/fb.paoc ) Pakistan Army Fan Facebook Page
Another Facebook hack exposes primary email address facebook users

Another Facebook hack exposes primary email address facebook users

Jul 21, 2013
Last week we explained a critical vulnerability in Facebook that discloses the primary email address of facebook user. Later the bug was patched by Facebook Security Team. Today another similar interesting Facebook hack disclosed by another bug hunter, Roy Castillo. On his blog he explained a new facebook hack method that allows anyone to grab primary emails addresses of billions of Facebook users easily. Facebook Provides a App Dashboard for creating and managing your Facebook apps, with a range of tools to help you configure, build and debug your Facebook apps. The flaw exists in App settings, where application admin can add developer's profile also, but if the user is not a verified user, a error messages on page will disclose his primary email address. Using following mentioned steps, one was able to grab email addresses of all facebook users: Collect profile links of all facebook users from Facebook People Directory i.e https://www.facebook.com/directo
Vulnerability in Facebook discloses Primary Email Address of any account

Vulnerability in Facebook discloses Primary Email Address of any account

Jul 09, 2013
When you sign up on Facebook, you have to enter an email address and that email address becomes your primary email address on Facebook. In a recent disclosure by a Security researcher, Stephen Sclafani - The Social Networking site Facebook was  vulnerable to disclosure of primary email address of any Facebook user to hackers and spammers . The flaw resides in the invitation mechanism of Facebook, using which one can invite his all contacts emails to Facebook for making new account. As shown in following screenshot, an invitation received on an email, where one need to click the Signup URL: After clicking that URL, invited user will be redirected to a signup page filled in with the email address and the name of a person who used the link to sign up for an account was displayed: There are two parameters in this URL, i.e "re" and "mid". According to Stephen changing some part of "mid" parameter can expose the email address of another user. http:/
Facebook implementing Advanced HTTPS to minimize NSA Interception

Facebook implementing Advanced HTTPS to minimize NSA Interception

Jun 29, 2013
For years the National Security Agency has successfully shielded its surveillance programs from any real public scrutiny. There have been a lot of news stories about NSA surveillance programs following the leaks of secret documents by Edward Snowden . We have learned that the NSA is collecting millions of Americans' phone records on a daily basis, that it operates a program called PRISM involving the surveillance of Internet communications, including Email, Facebook posts, and instant messages. The NSA is allowed to record the conversations of non-Americans without a specific warrant for each person monitored, if at least one end of the conversation is outside of the U.S. It is also allowed to record the communications of Americans if they are outside the U.S. and the NSA first gets a warrant for each case. Because Facebook is using outdated Web encryption, which cryptographers say the NSA could penetrate reasonably quickly after intercepting the communications using 
Facebook temporarily blocked access from TOR, but not Intentionally

Facebook temporarily blocked access from TOR, but not Intentionally

Jun 20, 2013
Tor has become a tool of free expression in parts of the world where citizens can not speak freely against their government. On Tuesday, a number of users have noticed that Facebook is blocking connections from the Tor network. Tor is a free tool that keeps Web browsing sessions private and anonymous . For activists and political dissidents who use the Internet to communicate with the outside world in countries where doing so is a crime , being unable to login to Facebook using TOR posed a huge problem. Later, Facebook resolves the Tor issues and said that A high volume of malicious activity across Tor exit nodes triggered Facebook's automated malware detection system, which temporarily blocked visitors who use the Tor anonymity service to access the social network . The role that Tor and Facebook played in facilitating the dissemination of information under restrictive regimes cannot be underestimated. Security researchers are also frequent users of Tor, for instan
Warning ! Facebook virus Zeus targets bank accounts

Warning ! Facebook virus Zeus targets bank accounts

Jun 05, 2013
The infamous Zeus malware has once again resurfaced as per Symantec and is capable of draining your bank accounts. Zeus propagates through phishing messages that originate from an account that has been phished. Such a phished account will then start automatically sending messages to friends with links to ads telling them to check out a video or product.  Of course, you should not click as doing so will get your account phished as well. The program is sophisticated enough that it can replace a bank's Web site with a mimicked page of its very own. The fake page can then ask for social security number information and other data that is then sold on the black market.  According to Trend Micro the pages are being hosted by the Russian criminal gang known as the Russian Business Network. Zeus was first detected in 2007 and it is spreading online. If you click on the Zeus virus, it is designed to steal your password and drain your bank account. Facebook is aware of the rising issue, but
Hacking Instagram Accounts using OAuth vulnerability

Hacking Instagram Accounts using OAuth vulnerability

May 02, 2013
' Nir Goldshlager ' known as Facebook hacker and founder of Break Security  , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical  vulnerability in Instagram Oauth that allow an attacker to hack any account. Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos. Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog. During his bug hunting Nir found loopholes in Instagram's security parameters i.e redirect_uri , that allows  attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx . POC :  https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec
Another way to hack Facebook accounts using OAuth vulnerability

Another way to hack Facebook accounts using OAuth vulnerability

Apr 17, 2013
In recent few months White hat Hacker ,' Nir Goldshlager ' reported many critical bugs in Facebook OAuth  mechanism, that allowed an attacker to hijack any Facebook account without user's interaction.  Another hacker, ' Amine Cherrai ' reported a new Facebook OAuth flaw, whose exploitation is actually very similar to Nir Goldshlager 's findings but with a new un-patched way. Before reading further, I would like to suggest you to read following post to understand the basic exploitation mechanism: Facebook OAuth flaw allows gaining full control over any Facebook account Facebook hacking accounts using another OAuth vulnerability URL Redirection flaw in Facebook apps push OAuth vulnerability again in action Now, if you are aware about the vulnerability used against Facebook OAuth in  redirect_uri parameter in  the URL, there is another way that  Amine Cherrai found, to bypass the patch applied by Facebook  security team. He found another
URL Redirection flaw in Facebook apps push OAuth vulnerability again in action

URL Redirection flaw in Facebook apps push OAuth vulnerability again in action

Apr 04, 2013
In earlier posts, our Facebook hacker ' Nir Goldshlager ' exposed two serious Facebook oAuth Flaws. One, Hacking a Facebook account even without the user installing an application on their account and second, various ways to bypassing the regex protection in Facebook OAuth. This time, Nir illustrated a scenario attack  " what happens when a application is installed on the victim's account and how an attacker can manipulate it so easily " According to hacker, if the victim has an installed application like Skype or Dropbox, still hacker is able to take control over their accounts.  For this, an attacker required only a url redirection or cross site scripting  vulnerability on the Facebook owner app domain i.e in this scenario we are talking about skype facebook app. In many bug bounty programs URL redirection is not considered as an valid vulnerability for reward i.e Google Bug bounty Program. Nir also demonstrated that an attacker is even able to ga
Phishers hijacking Facebook Pages using apps

Phishers hijacking Facebook Pages using apps

Mar 08, 2013
Another phishing campaign come in action recently targeting Facebook accounts and company pages with millions of followers. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title ' Facebook Page Verification ' and using Facebook Security Logo as shown in the screenshot posted above. Phishing app URL: https://apps.facebook.com/verify-pages/ Application hosted on:   https://talksms.co.uk/ The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information. Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust
Microsoft becomes latest victim of Cyber attack

Microsoft becomes latest victim of Cyber attack

Feb 23, 2013
Microsoft has become the latest victim of to Cyber attack and confirm that small number of its computers, including some in its Mac software business unit, were infected with malware . Microsoft added , malicious software used in a cyber attack is very similar to those experienced by Facebook and Apple recently. Microsoft gave few other details about the break-in, " We have no evidence of customer data being affected and our investigation is ongoing. " " During our investigation, we found a small number of computers, including some in our Mac business unit that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing, " Microsoft said. " This type of cyber attack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries ," the company said. Last week, Apple said its
Malware attack on Apple employees by hackers who targeted Facebook

Malware attack on Apple employees by hackers who targeted Facebook

Feb 20, 2013
The same ring of hackers that are responsible for hacking into at least 40 companies including Facebook and Twitter are reportedly also infected the computers of some Apple employees, the company acknowledged Tuesday. The purpose of hack considered an effort to steal company secrets, research and intellectual property that they can sell. Investigators tracked at least one server being used by the hacker ring to a hosting company in the Ukraine. " Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers, " the company said in its statement. " The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network ." Apple isolated the infected systems from its network and said there was no indication that any data
Cybersecurity Resources