With just one link, hacking Facebook accounts has never been so easy

The situation of network security, information security is always very complicated. There are dozens of methods, new hacking tricks that are created every day and just a moment of being caught off guard is entirely possible that you will have to "embrace hatred". With Facebook, it is now 2019, and if you 'blindly' click on a malicious URL, please give your condolences, chances are your account has been hacked. This is a new kind of malicious link, created in a special way to allow an attacker to hack your Facebook account without any further interaction.

Recently, specifically last month a security researcher discovered a serious security vulnerability involving cross-site protection (CSRF) features that are particularly dangerous. in some of the most popular social networking platforms (mostly Facebook), and can allow an attacker to hijack a victim's Facebook account by tricking them into clicking on a malicious link.

With just one link, hacking Facebook accounts has never been so easy Picture 1

1. Hackers use banks as a starting point for phishing attacks

More specifically, the well-known security researcher nicknamed "Samm0uda" found this flaw after he discovered a mistake in the endpoint (facebook.com/comet/dialog_DONOTUSE/) that could be exploited. cascade to overcome CSRF protection and hijack the victim's account. In addition, according to the security researcher, the end point under the main domain www.facebook.com is also an element that helps attackers easily trick their victims into accessing that malicious URL.

In short, all the attackers need to do is trick the victims into clicking on a specially crafted Facebook URL, as mentioned above. This link is designed to perform many actions such as posting any information on their timeline, changing or deleting avatars and even tricking users into deleting all important information on the account. my Facebook account.

Taking complete control of the victim's account, or tricking them into deleting their entire Facebook account will require a little extra effort from the attacker, because the victim needs to enter the password to confirm it first. when deleting account.

To do this, the researcher said the hacker will ask the victim to access two separate URLs, one to add emails or phone numbers and one to confirm the information.

That's "because the 'normal' endpoints used to add emails or phone numbers will not have the 'next' parameter to redirect users after the request is successfully executed," said Samm0uda's nickname. .

With just one link, hacking Facebook accounts has never been so easy Picture 2

1. What can organizations do to protect themselves from cyber attacks?

However, this researcher can still take the account takeover with just one URL by finding endpoints with 'next' parameters and authorizing a malicious application on behalf of the victim and getting the code Report their Facebook access.

Once you have access to the victim's token, the email address controlled by the attacker will be automatically added to their account, allowing the attacker to hijack the account completely. How to reset your password and 'kick' legitimate users out of their Facebook accounts.

Such account hijacking attacks can be partially prevented if you have enabled two-factor authentication for your Facebook account, preventing hackers from logging in to your account until or unless They find the 6-digit code sent to your mobile device.

However, once your account has been hacked, there is no way to prevent hackers from taking some action on your behalf to take advantage of this vulnerability, such as changing or deleting the avatar, deleting the photo album. Or post anything on your timeline.

1. Use an 8-character Windows NTLM password? Congratulations, your password may be unlocked after only 2.5 hours

Samm0uda reported this security vulnerability, along with details of his exploit steps on Facebook on January 26. This huge social networking site acknowledged the problem and resolved it on January 31, and rewarded the researcher $ 25,000 as part of Facebook's error detection bonus program.