How to HACK any facebook FAN Page

Security researcher Laxman Muthiyah, has recently discovered a new bug in ‘Facebook pages’ that allows attacker to hack and take control of any Facebook page that are managed by multiple users on role bases. Facebook has already fixed this bug and awarded the researcher with bounty.

Although the bug has been fixed already, you should be aware of this trick and protect your page from getting hacked in future. So lets start with how Laxman used this trick. To hack Facebook page, Laxman exploited a vulnerability found in Facebook business manager endpoint that allows 3rd party apps to hack any Facebook page with limited permissions and remove page admin roles of the the victim.

Many Facebook business page owners use 3rd party apps to post automated statuses, publish photos, get fake likes and get other insights. By default when the user uses 3rd party app for his business page, it is allowed to add or modify page admin roles (page roles like manager, editor, analyst etc..) But the vulnerability allows hackers to use rogue app that could add some user as admin to the page and remove the actual admin permanently.

Following are the requests used by hacker in his app that would modify the page roles.

For Page Takeover (Request):
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>

For Removing Victim (Request):
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>

How Facebook page hacking works?

1. Hacker sets-up a rogue Facebook app that contains above requests.
2. He then creates a website offering Facebook page service.
3. After everything is set, he then lures Facebook page owners to get more like or reveal insights.
4. The Page owner (victim) accesses hackers website and clicks Facebook login button that will trigger rogue app built by hacker and eventually giving control to his Facebook pages.
5. Instead of getting promised like the victim looses his ownership to the pages.

Watch video demonstration here:
https://www.facebook.com/7xter/videos/707721066037025/

Lessons: Never fall for any free likes or other fan page gimmicks that requires you to give permissions to your page. Always double check permissions you grant to any third-party applications.

Stealing User Cookies - Hack anyone using wifi or LAN

In my last post about Facebook hacking, i had mentioned something called Web cookie stealing and i had also promised to post more on it. Today i will discuss on how you can steal cookies when on LAN or WiFi Network using a technique called Sidejacking.

When you login to any website by submitting your username and password, First the server checks if an account matching this information exists and if so, replies back to you with a “authentication cookie” which is then stored by your browser for all subsequent requests and to keep you logged-in.

What is Sidejacking?
Sidejacking attack (also called as session hijacking) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. In other words, the attacker can now make use of your cookie to impersonate your account and can do everything a user can do when logged-in to any website.

Its very common, that many Websites protect your account by encrypting the login process. But it is very uncommon for Websites to encrypt everything else after you login(eg:cookies). This makes the cookie and the user vulnerable. On an open wireless networks like WiFi, cookies are basically shouted through the air, making these type of attacks extremely easy, yet very popular websites continue to fail at protecting their users.

The Sidejacking Attack Involves two Major Steps:

#1. Capturing packets (Session Cookie)
There are wide variety of tools available that can Sniff packets containing “session cookies“. Use any packet sniffer such as Wireshark to sniff the packets between the target IP and the host. These tools can capture packets such as POST or GET requests used by Web-browsers to send and receive data from the HOST. But we are mainly interested in grabbing the cookies, so carefully takeout the cookie information from the sniffed Packets. Popular packet Sniffers: WireShark, Ethereal, etc.

#2. Using Captured Session Cookie.
Once you have the cookie information, the next task is to use this information to get access to victims user account. Using Sniffed Cookie you can actually login to your victims account even without knowing his/her password. To do this you will require browser plugin that can manage and edit cookies. For firefox Browser, you can use Cookie Manager+ or Edit Cookies to do this task. Chrome users can checkout:Edit This Cookie or Cookie Manager.

Easiest Way to SideJack:

The above method is cumbersome ofcourse, and requires more time. To simplify this Task, Mr.Eric Butler a software engineer introduced a firefoxextension called Firesheep. The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie(s) created during the login process. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites, as the cookies are transmitted over the networks.

When you are on public Wifi or LAN, Fireship can automatically capture all the available session cookies of any website and reports it to you. You can Now choose between all the available use accounts and you are just a click away to access them.

As you can see above, It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim’s name.

Download: firesheep-0.1-1 for Windows & OS X

Firesheep has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook, Twitter, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies.

>How do i Protect Myself from SideJacking Attack?

#1. It is very easy to protect yourself against this sort of attack. Both Facebook & Twitter supports HTTPS, so when you browse facebook (or twitter for that matter) On Public Wifi or LAN, please make sure you’re using HTTPS:// rather than HTTP:// in the URL.

Facebook: Account Settings >> Account Security >> check “Secure Browsing (https)” >> Save.
Twitter: Settings >> Account >> check “Https Only” >> save.

#2. FireFox Users can use Plugin called HTTPS Finder. HTTPS Finder automatically detects and alerts when SSL is available on a web page. It also provides one-click rule creation for HTTPS Everywhere.

#3. When you are using Public WiFi, Avoid Logging-in on Websites that doesn’t Support HTTPS://. Don’t use sites that revert back to HTTP after login.

#4. Always Log off websites when done. If the ‘victim’ logs out of any Website, the attackers session becomes invalid – so it’s a good practice to actually log out and log back in again rather than using the ‘remember me’ check-box.

#5. Avoid using unencrypted Wi-Fi. Encrypting everything over Wi-Fi is an excellent idea. Although not many hot-spots offer Encrypted WiFi, using it can greatly reduce the risk of being hacked.

4 Ways to Hack Any Facebook Account + Defense

Despite the security concerns that have plagued Facebook for years, most people are sticking around and new members keep on joining. This has led Facebook to break records numbers with over one billion monthly active users as of October 2012—and around 600 million active daily users.

We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. We even clamor to see the latest versions even before they're ready for primetime.

But we sometimes forget who's watching.

We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities—and that's just with the visible information we purposely give away through our public Facebook profile.


The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. As if we haven't already done enough to aid hackers in their quest for our data by sharing publicly, those in the know can get into our emails and Facebook accounts to steal every other part of our lives that we intended to keep away from prying eyes.

In fact, you don't even have to be a professional hacker to get into someone's Facebook account.

It can be as easy as running Firesheep on your computer for a few minutes. In fact, Facebook actually allows people to get into someone else's Facebook account without knowing their password. All you have to do is choose three friends to send a code to. You type in the three codes, and voilß—you're into the account. It's as easy as that.

In this article I'll show you these, and a couple other ways that hackers (and even regular folks) can hack into someone's Facebook account. But don't worry, I'll also show you how to prevent it from happening to you.

Method 1: Reset the Password
The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.

The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section.
Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.
It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?
It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.
It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.
If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.

It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.

How to Protect Yourself
Use an email address specifically for your Facebook and don't put that email address on your profile.
When choosing a security question and answer, make it difficult. Make it so that no one can figure it out by simply going through your Facebook. No pet names, no anniversaries—not even third grade teacher's names. It's as easy as looking through a yearbook.
Learn about recovering your account from friends. You can select the three friends you want the password sent to. That way you can protect yourself from a friend and other mutual friends ganging up on you to get into your account.
Method 2: Use a Keylogger
Software Keylogger

A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.

CNET has Free Keylogger, which as the title suggests, is free. If this isn't what you're looking for, you can search for other free keyloggers or pay for one.


Hardware Keylogger

These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data. You can look through Keelog for prices, but it's bit higher than buying the software since you have the buy the USB drive with the program already on it.


How to Protect Yourself
Use a firewall. Keyloggers usually send information through the internet, so a firewall will monitor your computer's online activity and sniff out anything suspicious.
Install a password manager. Keyloggers can't steal what you don't type. Password mangers automatically fill out important forms without you having to type anything in.
Update your software. Once a company knows of any exploits in their software, they work on an update. Stay behind and you could be susceptible.
Change passwords. If you still don't feel protected, you can change your password bi-weekly. It may seem drastic, but it renders any information a hacker stole useless.
Method 3: Phishing
This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type of phishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.


The easiest way to do this would be to follow our guide on how to clone a website to make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.

How to Protect Yourself
Don't click on links through email. If an email tells you to login to Facebook through a link, be wary. First check the URL (Here's a great guide on what to look out for). If you're still doubtful, go directly to the main website and login the way you usually do.
Phishing isn't only done through email. It can be any link on any website / chat room / text message / etc. Even ads that pop up can be malicious. Don't click on any sketchy looking links that ask for your information.
Use anti-virus & web security software, like Norton or McAfee.
Method 4: Stealing Cookies
Cookies allow a website to store information on a user's hard drive and later retrieve it. These cookies contain important information used to track a session that a hacker can sniff out and steal if they are on the same Wi-Fi network as the victim. They don't actually get the login passwords, but they can still access the victim's account by cloning the cookies, tricking Facebook into thinking the hacker's browser is already authenticated.


Image via wikimedia.org
Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi connection. It collects the cookies and stores them in a tab on the side of the browser.

From there, the hacker can click on the saved cookies and access the victim's account, as long as the victim is still logged in. Once the victim logs out, it is impossible for the hacker to access the account.


How to Protect Yourself
On Facebook, go to your Account Settings and check under Security. Make sure Secure Browsing is enabled. Firesheep can't sniff out cookies over encrypted connections like HTTPS, so try to steer away from HTTP.
Full time SSL. Use Firefox add-ons such as HTTPS-Everywhere or Force-TLS.
Log off a website when you're done. Firesheep can't stay logged in to your account if you log off.
Use only trustworthy Wi-Fi networks. A hacker can be sitting across from you at Starbucks and looking through your email without you knowing it.
Use a VPN. These protect against any sidejacking from the same WiFi network, no matter what website you're on as all your network traffic will be encrypted all the way to your VPN provider.
Protecting Yourself: Less Is More
Social networking websites are great ways to stay connected with old friends and meet new people. Creating an event, sending a birthday greeting and telling your parents you love them are all a couple of clicks away.

Facebook isn't something you need to steer away from, but you do need to be aware of your surroundings and make smart decisions about what you put up on your profile. The less information you give out on Facebook for everyone to see, the more difficult you make it for hackers.

If your Facebook account ever gets hacked, check out our guide on getting your hacked Facebook account back for information on restoring your account.