Facebook hacking | Breaking Cybersecurity News | The Hacker News

If your Facebook wall offers you any horror videos that claim to be of a real ghost spotted, don't dare to click on them, as it may be hoaxes, malwares or scams contained within which are the real horror for the online users. We have seen a lot of Facebook scams spreading through the Facebook timeline in wild that encourages users to click on it and fall victim, and this time some new horror scam campaign is going viral on Facebook. Christopher Boyd from the security firm Malwarebytes has discovered an epidemic of hoaxes making their way around Facebook with paranormal themes, including: Alleged footage of an "actual" ghost attack a video featuring the Aswang that is described as "a mythical shape-shifting were-dog/vampire/terrifying thing from the Philippines" a video of Mermaids claiming they are back! Video of a huge great white shark tearing apart a sea captain. Facebook has become one of the most popular social networking website with more than one billion

Have you noticed a blue color " Free Voice Call " icon that appears next to your Facebook contacts in the iOS and Android Facebook Messenger app? Yes, Facebook has updated their Messenger app that includes the ability to make free voice calls to your online pals and now Facebook users can simply tap the phone icon to call their friends. FACEBOOK DITCH WHATSAPP OVER CALLING FEATURE WhatsApp was reportedly developing voice call feature since last year and when it was acquired by Facebook for $19 billion in February, users estimated that Facebook will add Internet calling feature to Whatsapp soon, rather than to its own Facebook Messenger. However, the WhatsApp VoIP calling is still to come and is expected to launch the update with the feature in the coming weeks, but sadly before that Facebook may leave other popular free calling apps, such as Viber, Line, Google's Hangout, Skype behind. USERS' PRIVACY AT RISK, AS NO ENCRYPTION As expected, Faceboo

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

Defending and Analysis of online threats and malwares   have become more challenging nowadays and especially for larger businesses like the popular social networking site - Facebook. To encounter malware, phishing, and other online threats, Facebook has taken an important step forward. Facebook has unveiled its latest security-focused platform, dubbed as ' ThreatData ', which is a framework that aims to standardize its methods for collecting and analyzing data. The ThreatData framework is implemented to import information about the various online threats, malware, phishing and other internet risks, then storing it proficiently for real-time and long-term analysis as well. It consists of three high level components i.e. Feeds, Data storage, and Real-time response. FEEDS:  Feeds will collect data from a distinct source and implement them via a lightweight interface. " Here are some examples of feeds we have implemented: Malware file hashes from VirusTotal; Malicious

Besides collecting metadata and inserting backdoor to the devices and softwares, the US National Security Agency (NSA) has an eye on each post, picture, message you have ever sent on Facebook. I know you won't be feeling free considering your privacy, but, this is what the NSA is doing to you. The new revelation from the Glenn Greenwald 's desk remove the mask from one more secret surveillance operation carried out by the US intelligence agency NSA, the extensive program dubbed as ' TURBINE ', according to the classified files provided previously by NSA whistleblower Edward Snowden . Yes, the NSA, who has been working with its dedicated hacking unit, Tailored Access Operations (TAO) from the past several years on enlarging its caliber to infect devices with spyware and creating its own command-and-control servers to manage millions of infected systems at a time. The secret documents presented by The Intercept  website shows that the NSA with its British counterpart G

Security researchers at Trustwave's SpiderLabs found a Netherlands-based Pony Botnet Controller Server with almost two Million usernames and passwords, stolen by cybercriminals from users of Facebook, Twitter, Google, Yahoo and other websites. In a blog post, the researchers mentioned that after the Pony Version 1.9  Source code was made public and they found a way to get into the Botnet 's Admin area, from where they collected stolen database and statistics. The Pony Control panel, written in Russian language, indicated Facebook was the worst impacted and two Russian Social Media sites i.e. vk.com and odnoklassniki.ru, credentials were also included in the database. It is not clear at this time that how exactly the login credentials were originally obtained, but one possibility is that, they were captured using some keyloggers or similar malware. Statistics of stolen login credentials: 1,580,000 website login credentials stolen (including 318,121 Facebook login credentia

Security Researcher Dan Melamed discovered an Open URL redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions. An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack . An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user's access token at risk if that link is entered as the final destination in an Oauth dialog . The Facebook Open URL Redirection vulnerability exists at landing.php  page with " url " parameter, i.e. https://facebook.com/campaign/landing.php?url=https://yahoo.com This URL will always redirects user to the Facebook 's homepage, but it is sufficient to manipulate the "url" parameter assigning a random string: https://facebo

There are more than 100 Million users who are using Facebook mobile app. Facebook has fixed multiple critical vulnerabilities in its Android based applications that allows hackers to steal access tokens and hijack accounts. Egyptian security researcher Mohamed Ramadan, Security researcher with Attack Secure, has who disclosed  a couple of vulnerabilities in the Facebook Main app and Facebook messenger app and Facebook page's manager application for Android. User's access token is the key to accessing a Facebook account and according to him, an attacker only needs to send a message that contains an attachment of any type, i.e. Videos, documents, and pictures. Once the victim will click on that file to download, immediately victim's access_token will be stored in the Android's log messages called -  logcat ,  that enables other apps to grab user's access token and hijack the account. Video Demonstration: The second flaw which is reported by Ramadan

The pro-Assad group Syrian Electronic Army claims it has hacked the President Barack Obama's website , Twitter-Facebook accounts and access email accounts linked to Organizing For Action, the non-profit offshoot of Obama For America, Obama's 2012 campaign operation. Last night,  Syrian Electronic Army (SEA)  hacked into Obama's donation website donate.barackobama.com , which was temporarily redirected to the website of the hacking group ( sea . sy / indexs / ) with a short message: " Hacked by SEA ". The hackers were able to take over only a secondary donations page. It was an older page - still on the site, but was no longer being used. They have also posted fake tweets and updates from Obama's Facebook Page and Twitter accounts, " All  the  links that Barack Obama account tweeted it and post it on Facebook was redirected to a video showing the truth about Syria " Hacker told Mashable in an interview. The attackers also compromised the URL shorten

If you're a user of the Buffer app, the social-media management service that let you cross-posting to various social networks, be aware that the service got hacked yesterday, with spam messages going out over Facebook.  " Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now. " Buffer team said, in an email sent to users and also posted to Buffer's blog . It's not yet clear how many of Buffer's 1 million or so users were affected by the hack, but buffer maintains that user passwords are safe nor has any "billing or payment information been affected or exposed" . Photo Credit : The Next Web It appears that Buffer's Facebook and Twitter spam messages were first sent at around 2:20 p.m. ET. Hackers have used the exploit to spam user accounts on Facebook, Twitter, Google+, and other sites. Just recently, Instagram saw a viral wa

Facebook Graph Search is more powerful than ever, has been updated to allow people to search in greater depth on Facebook.  Facebook expanded its Graph Search to include posts and status updates, which means everything you've been posting is way easier to find than ever before. " Now you will be able to search for status updates, photo captions, check-ins and comments to find things shared with you ," says Facebook . For example, you could enter " Posts by my friends from last month ," or " Posts written at The White House " in order to find that specific information. Facebook's search is increasing in power much faster than people are realizing that their life is being digitally sorted and indexed. As Facebook widens its scope of searchable information, questions about privacy continue to rise. Facebook users should check their privacy settings if they want to limit the people who can search every post or status update they have ev

In the past few days, Facebook refused to pay bounty to Khalil Shreateh , the security researcher who used the bug he discovered to post directly on Facebook CEO Mark Zuckerberg 's Timeline after Facebook Security rejected his attempts to report it. Ehraz Ahmed, an independent Security Researcher claimed that he reported a critical vulnerability to the Facebook Security team, which allows the attacker to delete any account from Facebook. But Facebook refuses to Pay Bug Bounty , because he tested flaw once on his friend's account, " I reported this bug to Facebook, I'm really not happy with them. After waiting for such a long time for their reply, they denied it saying that you used this bug only works for test accounts, where as I used it for removing real accounts and now the vulnerability is also fixed after their email." he said on his blog . Video Demonstration of Exploit: Vulnerable  URL : https://www.facebook.com/ajax/whitehat/delete_

Indian Security Enthusiast ' Arul Kumar ' recently reported an interesting Facebook vulnerability that allowed him to delete any Facebook image within a minute. Facebook Bug Bounty program rewarded him with  $12,500 USD for helping the Facebook Security team to patch this critical loophole in their own " Support Dashboard ". The flaw is critical because using this exploitation method hacker can also delete Mark Zuckerberg's ( Facebook Founder ) Photos from his Photo Album, or even from wall of any verified page too. Arul posted on his blog, " The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week ." That means, if you will report abuse the targeted image and send a Photo Removal Request, Facebook Server Will automatically generate

A Palestinian Web Developer and Hacker, ' Khalil Shreateh ' found an interesting  vulnerability in Facebook, that allows hacker to bypass the Privacy settings to make a post on anyone's Timeline / Wall. He was forced to post vulnerability details on Mark Zuckerberg (Facebook Founder) Timeline to prove his point, after the Facebook Security Team failed to recognize his critical vulnerability three times. The flaw even working for those victims, who is not included in the attacker friend list.  According to Facebook's Bug Bounty program, a researcher has to submit the flaw details via email to Facebook Security Team without disclosing the details in Public. In order to get the minimum reward of US$500, the flaw should be valid. The reported vulnerability is in " composer.php " file on Facebook mechanism. First Khalil made a post on the timeline of a girl, " Sarah Gooden " who studied at the same college as Facebook CEO Mark Zuckerbe

Pakistan Army site (pakistanarmy.gov.pk) and Three Facebook pages hacked by an Indian hacker 'Godzilla '. Hacker told ' The Hacker News ' that, using a CMS vulnerability they got access into the Pakistan army website using credentials i.e. Username: mag_admin password: #$%modern! .  Then they left a malicious PDF magazine document in their content management system of magazine portal for the Pakistan army, which was later clicked by the Administrator and that installed a piece of malware on the administrator's computer. " For security they have taken down the login page of content management but failed to remove my backdoor " hacker told The Hacker News. Using an infected system of the Administrator, he has also gained unauthorized access to three Pakistan Army Facebook pages. Pakistan Army Official Facebook Page ( www.facebook.com/OfficialPakArmy ) Pakistan Army Officers Club Facebook Page ( www.facebook.com/fb.paoc ) Pakistan Army Fan Facebook Page

Last week we explained a critical vulnerability in Facebook that discloses the primary email address of facebook user. Later the bug was patched by Facebook Security Team. Today another similar interesting Facebook hack disclosed by another bug hunter, Roy Castillo. On his blog he explained a new facebook hack method that allows anyone to grab primary emails addresses of billions of Facebook users easily. Facebook Provides a App Dashboard for creating and managing your Facebook apps, with a range of tools to help you configure, build and debug your Facebook apps. The flaw exists in App settings, where application admin can add developer's profile also, but if the user is not a verified user, a error messages on page will disclose his primary email address. Using following mentioned steps, one was able to grab email addresses of all facebook users: Collect profile links of all facebook users from Facebook People Directory i.e https://www.facebook.com/directo

When you sign up on Facebook, you have to enter an email address and that email address becomes your primary email address on Facebook. In a recent disclosure by a Security researcher, Stephen Sclafani - The Social Networking site Facebook was  vulnerable to disclosure of primary email address of any Facebook user to hackers and spammers . The flaw resides in the invitation mechanism of Facebook, using which one can invite his all contacts emails to Facebook for making new account. As shown in following screenshot, an invitation received on an email, where one need to click the Signup URL: After clicking that URL, invited user will be redirected to a signup page filled in with the email address and the name of a person who used the link to sign up for an account was displayed: There are two parameters in this URL, i.e "re" and "mid". According to Stephen changing some part of "mid" parameter can expose the email address of another user. http:/

For years the National Security Agency has successfully shielded its surveillance programs from any real public scrutiny. There have been a lot of news stories about NSA surveillance programs following the leaks of secret documents by Edward Snowden . We have learned that the NSA is collecting millions of Americans' phone records on a daily basis, that it operates a program called PRISM involving the surveillance of Internet communications, including Email, Facebook posts, and instant messages. The NSA is allowed to record the conversations of non-Americans without a specific warrant for each person monitored, if at least one end of the conversation is outside of the U.S. It is also allowed to record the communications of Americans if they are outside the U.S. and the NSA first gets a warrant for each case. Because Facebook is using outdated Web encryption, which cryptographers say the NSA could penetrate reasonably quickly after intercepting the communications using 

Tor has become a tool of free expression in parts of the world where citizens can not speak freely against their government. On Tuesday, a number of users have noticed that Facebook is blocking connections from the Tor network. Tor is a free tool that keeps Web browsing sessions private and anonymous . For activists and political dissidents who use the Internet to communicate with the outside world in countries where doing so is a crime , being unable to login to Facebook using TOR posed a huge problem. Later, Facebook resolves the Tor issues and said that A high volume of malicious activity across Tor exit nodes triggered Facebook's automated malware detection system, which temporarily blocked visitors who use the Tor anonymity service to access the social network . The role that Tor and Facebook played in facilitating the dissemination of information under restrictive regimes cannot be underestimated. Security researchers are also frequent users of Tor, for instan