Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me. Thanks. Dave. On 12/9/11, Ben Mustill-Rose wrote:

Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.

Cheers, Ben.

On 10/12/2011, David Mehler wrote:

...

Hello,

Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid. I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password. As I say, lots of ways to do it, but these could be applied to almost any website. On 12/12/2011, John G. Heim wrote:

I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?

----- Original Message ----- From: "David Mehler" To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.

Thanks. Dave.

On 12/9/11, Ben Mustill-Rose wrote:

...

Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.

Cheers, Ben.

On 10/12/2011, David Mehler wrote:

...

Hello,

Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs. On 12/12/2011, John G. Heim wrote:

Here is an article from MSNBC that confirms the rumor:

http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be

So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.

----- Original Message ----- From: "Ben Mustill-Rose" To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.

I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.

As I say, lots of ways to do it, but these could be applied to almost any website.

On 12/12/2011, John G. Heim wrote:

...

I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?

----- Original Message ----- From: "David Mehler" To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.

Thanks. Dave.

On 12/9/11, Ben Mustill-Rose wrote:

...

Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.

Cheers, Ben.

On 10/12/2011, David Mehler wrote:

...

Hello,

Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

I don't get why you're downplaying this. In my opinion, its important for people to know about this exploit. Yeah, the article was written in June but facebook has not closed the security hole that the app exploits. That app works as well today as it did in June. And the fact that facebook isn't the only service vulnerable hardly lessens it either. In anything, that makes it even more important to know about this exploit. I mean, I'm not saying its time to build a bomb shelter and buy a emergency generator. The world is not coming to an end. But this is an exploit people should be aware of. From: "Ben Mustill-Rose" To: "Blind sysadmins list" Sent: Monday, December 12, 2011 5:17 PM Subject: Re: [Blind-sysadmins] facebook hacking app

The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs.

On 12/12/2011, John G. Heim wrote:

...

Here is an article from MSNBC that confirms the rumor:

http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be

So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.

----- Original Message ----- From: "Ben Mustill-Rose" To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.

I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.

As I say, lots of ways to do it, but these could be applied to almost any website.

On 12/12/2011, John G. Heim wrote:

...

I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?

----- Original Message ----- From: "David Mehler" To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.

Thanks. Dave.

On 12/9/11, Ben Mustill-Rose wrote:

...

Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.

Cheers, Ben.

On 10/12/2011, David Mehler wrote: > Hello, > > Do we have any facebook users on this list? I've been hearing > something twice these past week that there's an app maybe a phone > based one Android or IOS based or maybe on the computer where a > facebook account can be hacked despite the password. I don't know of > such an app and doubt there would be one, but I've been hearing > about > it. Can anyone confirm this? > > Thanks. > Dave. > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Right. The exploit depends on the ability to put a packet sniffer on the network. In public places, anyone can do that. ----- Original Message ----- From: "David Mehler" To: "Blind sysadmins list" Sent: Tuesday, December 13, 2011 10:56 AM Subject: Re: [Blind-sysadmins] facebook hacking app

Hello,

Thanks to everyone who has responded. So if I understand this right if your not on the same network your ok? So, that if people aren't in an unsecure or unknown WiFi hotspot then things are well? The article mentioned settings to enable, I shal do so. I'm also going to give a lecture to this group on security, hoaxes, passwords, and this exploit, I just want to make sure I have all my facts in place.

Thanks. Dave.

On 12/13/11, John G. Heim wrote:

...

I don't get why you're downplaying this. In my opinion, its important for people to know about this exploit. Yeah, the article was written in June but facebook has not closed the security hole that the app exploits. That app works as well today as it did in June. And the fact that facebook isn't the only service vulnerable hardly lessens it either. In anything, that makes it even more important to know about this exploit.

I mean, I'm not saying its time to build a bomb shelter and buy a emergency generator. The world is not coming to an end. But this is an exploit people should be aware of.

From: "Ben Mustill-Rose" To: "Blind sysadmins list" Sent: Monday, December 12, 2011 5:17 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs.

On 12/12/2011, John G. Heim wrote:

...

Here is an article from MSNBC that confirms the rumor:

http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be

So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.

----- Original Message ----- From: "Ben Mustill-Rose" To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.

I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.

As I say, lots of ways to do it, but these could be applied to almost any website.

On 12/12/2011, John G. Heim wrote:

...

I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?

----- Original Message ----- From: "David Mehler" To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app

> Hi, > Thanks. That was kind of my thoughts as well, but I don't know > everything and am not an avid facebook user, I just wanted to make > sure nothing was slipping by me. > > Thanks. > Dave. > > > On 12/9/11, Ben Mustill-Rose wrote: >> Probably as real as those virus warnings that your non computer >> literate friend sees and insists on forwarding to everyone in his / >> her address book. >> Facebook is ful of things like this - every now and again people >> start >> posting about an app thats able to do such and such and all the >> ones >> that sound like their not true aren't. The problem is magnified >> somewhat since the majority of Facebook users don't know any >> better. >> >> Cheers, >> Ben. >> >> On 10/12/2011, David Mehler wrote: >>> Hello, >>> >>> Do we have any facebook users on this list? I've been hearing >>> something twice these past week that there's an app maybe a phone >>> based one Android or IOS based or maybe on the computer where a >>> facebook account can be hacked despite the password. I don't know >>> of >>> such an app and doubt there would be one, but I've been hearing >>> about >>> it. Can anyone confirm this? >>> >>> Thanks. >>> Dave. >>> >>> _______________________________________________ >>> Blind-sysadmins mailing list >>> Blind-sysadmins@lists.hodgsonfamily.org >>> http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >>> >> >> _______________________________________________ >> Blind-sysadmins mailing list >> Blind-sysadmins@lists.hodgsonfamily.org >> http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >> > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > http://lists.hodgsonfamily.org/listinfo/blind-sysadmins > >

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid. I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password. As I say, lots of ways to do it, but these could be applied to almost any website. On 12/12/2011, John G. Heim wrote:

I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?

----- Original Message ----- From: "David Mehler" To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app

...

Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.

Thanks. Dave.

On 12/9/11, Ben Mustill-Rose wrote:

...

Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.

Cheers, Ben.

On 10/12/2011, David Mehler wrote:

...

Hello,

Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins