New settings help hackers test security for Facebook and Instagram applications more easily

Facebook recently introduced a new feature on both web platforms and mobile applications, designed to help the "money hunters" (pentester) easily find the possible security holes in the Facebook's Messenger and Instagram application on the Android platform.

If you don't know, Pentest (Penetration Testing) is a way of checking whether a certain IT system contains security holes or can be attacked by simulating test attacks. The person performing an intrusion test is called an intrusion test or a pentester.

1. Tonight (March 26), Facebook's "dating" feature will be available in Vietnam, are you ready to try it out?

Almost all Facebook-owned applications use security mechanisms such as Certificate Pinning to ensure the integrity and security of traffic. Therefore, hackers as well as security researchers will find it more difficult to block and analyze network traffic to find security vulnerabilities from the server side. Need to say a little more about Certificate Pinning. If you do not know, it is understandable that this is a security mechanism designed to help application users avoid becoming victims of internet-based attacks, by automatically rejecting them all. connectors originating from websites that use and provide untrue SSL certificates.

Accordingly, this newly deployed Facebook option is named "Whitehat Settings", which now allows researchers to easily bypass the Certificate Pinning security mechanism on mobile applications owned by Facebook. show the following actions:

1. Disable TLS 1.3 support from Facebook
2. Enable proxy for platform API requests
3. Use user-installed certificates

Also, according to Facebook, it is also possible "choosing not to use TLS 1.3 will allow you to work with proxies like Burp or Charles - which are currently the only protocols that support TLS 1.2".

1. Facebook Messenger adds a citation response feature, adding a step forward in integrating messaging services

Note that the Whitehat Settings option is not visible to everyone by default. Instead, researchers must enable this feature explicitly for their Android application from Facebook's web-based interface, as shown below:

"To ensure the Whitehat Settings option is fully displayed in the mobile application environment, we recommend that you log out of your account from all relevant mobile applications, close the application. Use it, then access the app again and log back in. The login process will allow the application to automatically fetch new profiles and install the updates you just own. '

After the Whitehat Settings option is turned on, you will see a banner appear at the top of the application (Facebook, Messenger or Instagram), indicating that the network checking feature is turned on and your traffic is already there. Can be tracked.

If you want to check for security vulnerabilities that can appear in the Instagram mobile app using the newly launched Whitehat Settings, you should first link your Instagram app to the Facebook application.

1. The new error on Instagram has caused millions of people to lose millions of followers

In addition, it should be noted that Whitehat Settings is not a feature developed for everyone, especially general users because it basically reduces the security of the attached applications. Facebook is installed on their device.

"To ensure the security of your account, we recommend that you turn off this setting when there is no need to perform our platform check to detect a bonus vulnerability," a Facebook representative said. know.

What do you think about this new feature of Facebook? Leave comments in the comment section below!