facebook hacking app
Hello, Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this? Thanks. Dave.
Probably as real as those virus warnings that your non computer
literate friend sees and insists on forwarding to everyone in his /
her address book.
Facebook is ful of things like this - every now and again people start
posting about an app thats able to do such and such and all the ones
that sound like their not true aren't. The problem is magnified
somewhat since the majority of Facebook users don't know any better.
Cheers,
Ben.
On 10/12/2011, David Mehler
Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Probably as real as those virus warnings that your non computer
literate friend sees and insists on forwarding to everyone in his /
her address book.
Facebook is ful of things like this - every now and again people start
posting about an app thats able to do such and such and all the ones
that sound like their not true aren't. The problem is magnified
somewhat since the majority of Facebook users don't know any better.
Cheers,
Ben.
On 10/12/2011, David Mehler
Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi,
Thanks. That was kind of my thoughts as well, but I don't know
everything and am not an avid facebook user, I just wanted to make
sure nothing was slipping by me.
Thanks.
Dave.
On 12/9/11, Ben Mustill-Rose
Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I don't find it so very unlikely that there's an app out there for
highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts
only the login screens, right? So while your password doesn't get sent over
the network in plain text, after you log in, everything else does. That
would mean anyone on the same network as you are could highjack your
session. The only thing that would prevent that would be if the network
traffic itself was encrypted. Are phone networks encrypted?
----- Original Message -----
From: "David Mehler"
Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Obviously you could do a man in the middle combined with something
like sslstrip and get more or less whatever you wanted, but thats not
specific to facebook at all. As far as phone networks go I'm not sure,
nobody can ping my iPhones 3g ip address, but I'm not sure if thats
because of iOs or my provider. Based on this, I'm not sure if the man
in the middle approach would work. Obviously this is slightly mute
these days since most phones have wifi and there are methods to make a
device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at
the moment other than standard brootforcing of week passwords, but
that happens all the time. I see posts from people on my newsfeed who
have been convinced to authorise an app that is sending out spam, but
I don't think the facebook api would have a feature that lets a third
party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost
any website.
On 12/12/2011, John G. Heim
I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa...
phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses
a packet sniffer to highjack your session cookies. My understanding that
this kind of attack is not possible if the web site sticks with https even
after login. Facebook and many other sites are vulnerable because they
switch back to regular http after you log in.
I'm not entirely sure keeping the protocol https protects you from session
highjacking. I would think so because the packets the cookies are sent in
would be encrypted. But it could be that cookies are sent in an unencrypted
layer.
----- Original Message -----
From: "Ben Mustill-Rose"
Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
The article was written in June, so whilst it probably still applies,
its nothing new. It uses processes that can be applied to any website
and I got the impression that it didn't try and compromise anything
sent over https which is what twitter defaults to now.
I'm guessing that this uses some form of arp poisening; any good ids
should be able to pick it up along with some consumer anty virus
programs.
On 12/12/2011, John G. Heim
Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.
----- Original Message ----- From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
The article was written in June, so whilst it probably still applies,
its nothing new. It uses processes that can be applied to any website
and I got the impression that it didn't try and compromise anything
sent over https which is what twitter defaults to now.
I'm guessing that this uses some form of arp poisening; any good ids
should be able to pick it up along with some consumer anty virus
programs.
On 12/12/2011, John G. Heim
Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.
----- Original Message ----- From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I don't get why you're downplaying this. In my opinion, its important for
people to know about this exploit. Yeah, the article was written in June
but facebook has not closed the security hole that the app exploits. That
app works as well today as it did in June. And the fact that facebook isn't
the only service vulnerable hardly lessens it either. In anything, that
makes it even more important to know about this exploit.
I mean, I'm not saying its time to build a bomb shelter and buy a emergency
generator. The world is not coming to an end. But this is an exploit people
should be aware of.
From: "Ben Mustill-Rose"
The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs.
On 12/12/2011, John G. Heim
wrote: Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.
----- Original Message ----- From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: > Hello, > > Do we have any facebook users on this list? I've been hearing > something twice these past week that there's an app maybe a phone > based one Android or IOS based or maybe on the computer where a > facebook account can be hacked despite the password. I don't know of > such an app and doubt there would be one, but I've been hearing > about > it. Can anyone confirm this? > > Thanks. > Dave. > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > http://lists.hodgsonfamily.org/listinfo/blind-sysadmins > _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hello,
Thanks to everyone who has responded. So if I understand this right if
your not on the same network your ok? So, that if people aren't in an
unsecure or unknown WiFi hotspot then things are well? The article
mentioned settings to enable, I shal do so. I'm also going to give a
lecture to this group on security, hoaxes, passwords, and this
exploit, I just want to make sure I have all my facts in place.
Thanks.
Dave.
On 12/13/11, John G. Heim
I don't get why you're downplaying this. In my opinion, its important for people to know about this exploit. Yeah, the article was written in June but facebook has not closed the security hole that the app exploits. That app works as well today as it did in June. And the fact that facebook isn't the only service vulnerable hardly lessens it either. In anything, that makes it even more important to know about this exploit.
I mean, I'm not saying its time to build a bomb shelter and buy a emergency generator. The world is not coming to an end. But this is an exploit people should be aware of.
From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 5:17 PM Subject: Re: [Blind-sysadmins] facebook hacking app The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs.
On 12/12/2011, John G. Heim
wrote: Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.
----- Original Message ----- From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: > Probably as real as those virus warnings that your non computer > literate friend sees and insists on forwarding to everyone in his / > her address book. > Facebook is ful of things like this - every now and again people > start > posting about an app thats able to do such and such and all the ones > that sound like their not true aren't. The problem is magnified > somewhat since the majority of Facebook users don't know any better. > > Cheers, > Ben. > > On 10/12/2011, David Mehler wrote: >> Hello, >> >> Do we have any facebook users on this list? I've been hearing >> something twice these past week that there's an app maybe a phone >> based one Android or IOS based or maybe on the computer where a >> facebook account can be hacked despite the password. I don't know of >> such an app and doubt there would be one, but I've been hearing >> about >> it. Can anyone confirm this? >> >> Thanks. >> Dave. >> >> _______________________________________________ >> Blind-sysadmins mailing list >> Blind-sysadmins@lists.hodgsonfamily.org >> http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >> > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > http://lists.hodgsonfamily.org/listinfo/blind-sysadmins > _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Right. The exploit depends on the ability to put a packet sniffer on the
network. In public places, anyone can do that.
----- Original Message -----
From: "David Mehler"
Hello,
Thanks to everyone who has responded. So if I understand this right if your not on the same network your ok? So, that if people aren't in an unsecure or unknown WiFi hotspot then things are well? The article mentioned settings to enable, I shal do so. I'm also going to give a lecture to this group on security, hoaxes, passwords, and this exploit, I just want to make sure I have all my facts in place.
Thanks. Dave.
On 12/13/11, John G. Heim
wrote: I don't get why you're downplaying this. In my opinion, its important for people to know about this exploit. Yeah, the article was written in June but facebook has not closed the security hole that the app exploits. That app works as well today as it did in June. And the fact that facebook isn't the only service vulnerable hardly lessens it either. In anything, that makes it even more important to know about this exploit.
I mean, I'm not saying its time to build a bomb shelter and buy a emergency generator. The world is not coming to an end. But this is an exploit people should be aware of.
From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 5:17 PM Subject: Re: [Blind-sysadmins] facebook hacking app The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs.
On 12/12/2011, John G. Heim
wrote: Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.
----- Original Message ----- From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app > Hi, > Thanks. That was kind of my thoughts as well, but I don't know > everything and am not an avid facebook user, I just wanted to make > sure nothing was slipping by me. > > Thanks. > Dave. > > > On 12/9/11, Ben Mustill-Rose
wrote: >> Probably as real as those virus warnings that your non computer >> literate friend sees and insists on forwarding to everyone in his / >> her address book. >> Facebook is ful of things like this - every now and again people >> start >> posting about an app thats able to do such and such and all the >> ones >> that sound like their not true aren't. The problem is magnified >> somewhat since the majority of Facebook users don't know any >> better. >> >> Cheers, >> Ben. >> >> On 10/12/2011, David Mehler wrote: >>> Hello, >>> >>> Do we have any facebook users on this list? I've been hearing >>> something twice these past week that there's an app maybe a phone >>> based one Android or IOS based or maybe on the computer where a >>> facebook account can be hacked despite the password. I don't know >>> of >>> such an app and doubt there would be one, but I've been hearing >>> about >>> it. Can anyone confirm this? >>> >>> Thanks. >>> Dave. >>> >>> _______________________________________________ >>> Blind-sysadmins mailing list >>> Blind-sysadmins@lists.hodgsonfamily.org >>> http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >>> >> >> _______________________________________________ >> Blind-sysadmins mailing list >> Blind-sysadmins@lists.hodgsonfamily.org >> http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >> > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > http://lists.hodgsonfamily.org/listinfo/blind-sysadmins > > _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hello,
Thanks to everyone who has responded. So if I understand this right if
your not on the same network your ok? So, that if people aren't in an
unsecure or unknown WiFi hotspot then things are well? The article
mentioned settings to enable, I shal do so. I'm also going to give a
lecture to this group on security, hoaxes, passwords, and this
exploit, I just want to make sure I have all my facts in place.
Thanks.
Dave.
On 12/13/11, John G. Heim
I don't get why you're downplaying this. In my opinion, its important for people to know about this exploit. Yeah, the article was written in June but facebook has not closed the security hole that the app exploits. That app works as well today as it did in June. And the fact that facebook isn't the only service vulnerable hardly lessens it either. In anything, that makes it even more important to know about this exploit.
I mean, I'm not saying its time to build a bomb shelter and buy a emergency generator. The world is not coming to an end. But this is an exploit people should be aware of.
From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 5:17 PM Subject: Re: [Blind-sysadmins] facebook hacking app The article was written in June, so whilst it probably still applies, its nothing new. It uses processes that can be applied to any website and I got the impression that it didn't try and compromise anything sent over https which is what twitter defaults to now. I'm guessing that this uses some form of arp poisening; any good ids should be able to pick it up along with some consumer anty virus programs.
On 12/12/2011, John G. Heim
wrote: Here is an article from MSNBC that confirms the rumor:
http://gadgetbox.msnbc.msn.com/_news/2011/06/02/6771350-android-app-hacks-fa... phones, I wouldn't be
So that article says the android app works exactly as I predicted. It uses a packet sniffer to highjack your session cookies. My understanding that this kind of attack is not possible if the web site sticks with https even after login. Facebook and many other sites are vulnerable because they switch back to regular http after you log in. I'm not entirely sure keeping the protocol https protects you from session highjacking. I would think so because the packets the cookies are sent in would be encrypted. But it could be that cookies are sent in an unencrypted layer.
----- Original Message ----- From: "Ben Mustill-Rose"
To: "Blind sysadmins list" Sent: Monday, December 12, 2011 3:27 PM Subject: Re: [Blind-sysadmins] facebook hacking app Obviously you could do a man in the middle combined with something like sslstrip and get more or less whatever you wanted, but thats not specific to facebook at all. As far as phone networks go I'm not sure, nobody can ping my iPhones 3g ip address, but I'm not sure if thats because of iOs or my provider. Based on this, I'm not sure if the man in the middle approach would work. Obviously this is slightly mute these days since most phones have wifi and there are methods to make a device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at the moment other than standard brootforcing of week passwords, but that happens all the time. I see posts from people on my newsfeed who have been convinced to authorise an app that is sending out spam, but I don't think the facebook api would have a feature that lets a third party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost any website.
On 12/12/2011, John G. Heim
wrote: I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: > Probably as real as those virus warnings that your non computer > literate friend sees and insists on forwarding to everyone in his / > her address book. > Facebook is ful of things like this - every now and again people > start > posting about an app thats able to do such and such and all the ones > that sound like their not true aren't. The problem is magnified > somewhat since the majority of Facebook users don't know any better. > > Cheers, > Ben. > > On 10/12/2011, David Mehler wrote: >> Hello, >> >> Do we have any facebook users on this list? I've been hearing >> something twice these past week that there's an app maybe a phone >> based one Android or IOS based or maybe on the computer where a >> facebook account can be hacked despite the password. I don't know of >> such an app and doubt there would be one, but I've been hearing >> about >> it. Can anyone confirm this? >> >> Thanks. >> Dave. >> >> _______________________________________________ >> Blind-sysadmins mailing list >> Blind-sysadmins@lists.hodgsonfamily.org >> http://lists.hodgsonfamily.org/listinfo/blind-sysadmins >> > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > http://lists.hodgsonfamily.org/listinfo/blind-sysadmins > _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Obviously you could do a man in the middle combined with something
like sslstrip and get more or less whatever you wanted, but thats not
specific to facebook at all. As far as phone networks go I'm not sure,
nobody can ping my iPhones 3g ip address, but I'm not sure if thats
because of iOs or my provider. Based on this, I'm not sure if the man
in the middle approach would work. Obviously this is slightly mute
these days since most phones have wifi and there are methods to make a
device automaticly connect to an ap regardless of its ssid.
I really don't think there is anything targeted towards Facebook at
the moment other than standard brootforcing of week passwords, but
that happens all the time. I see posts from people on my newsfeed who
have been convinced to authorise an app that is sending out spam, but
I don't think the facebook api would have a feature that lets a third
party app obtain someones password.
As I say, lots of ways to do it, but these could be applied to almost
any website.
On 12/12/2011, John G. Heim
I don't find it so very unlikely that there's an app out there for highjacking facebook sessions. Correct me if I'm wrong but facebook encrypts only the login screens, right? So while your password doesn't get sent over the network in plain text, after you log in, everything else does. That would mean anyone on the same network as you are could highjack your session. The only thing that would prevent that would be if the network traffic itself was encrypted. Are phone networks encrypted?
----- Original Message ----- From: "David Mehler"
To: "Blind sysadmins list" Sent: Friday, December 09, 2011 8:58 PM Subject: Re: [Blind-sysadmins] facebook hacking app Hi, Thanks. That was kind of my thoughts as well, but I don't know everything and am not an avid facebook user, I just wanted to make sure nothing was slipping by me.
Thanks. Dave.
On 12/9/11, Ben Mustill-Rose
wrote: Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi,
Thanks. That was kind of my thoughts as well, but I don't know
everything and am not an avid facebook user, I just wanted to make
sure nothing was slipping by me.
Thanks.
Dave.
On 12/9/11, Ben Mustill-Rose
Probably as real as those virus warnings that your non computer literate friend sees and insists on forwarding to everyone in his / her address book. Facebook is ful of things like this - every now and again people start posting about an app thats able to do such and such and all the ones that sound like their not true aren't. The problem is magnified somewhat since the majority of Facebook users don't know any better.
Cheers, Ben.
On 10/12/2011, David Mehler
wrote: Hello,
Do we have any facebook users on this list? I've been hearing something twice these past week that there's an app maybe a phone based one Android or IOS based or maybe on the computer where a facebook account can be hacked despite the password. I don't know of such an app and doubt there would be one, but I've been hearing about it. Can anyone confirm this?
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
participants (3)
-
Ben Mustill-Rose
-
David Mehler
-
John G. Heim