hijack account | Breaking Cybersecurity News | The Hacker News

' Nir Goldshlager ' known as Facebook hacker and founder of Break Security  , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical  vulnerability in Instagram Oauth that allow an attacker to hack any account. Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos. Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog. During his bug hunting Nir found loopholes in Instagram's security parameters i.e redirect_uri , that allows  attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx . POC :  https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec

Another phishing campaign come in action recently targeting Facebook accounts and company pages with millions of followers. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title ' Facebook Page Verification ' and using Facebook Security Logo as shown in the screenshot posted above. Phishing app URL: https://apps.facebook.com/verify-pages/ Application hosted on:   https://talksms.co.uk/ The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information. Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust

Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions. Recent incidents like  DataSpii  and the  Nigelthorn  malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them. What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)?  A new report by LayerX, "Unveiling the