With just one link, hacking Facebook accounts has never been so easy
The situation of network security, information security is always very complicated. There are dozens of methods, new hacking tricks that are created every day and just a moment of being caught off guard is entirely possible that you will have to "embrace hatred". With Facebook, it is now 2019, and if you 'blindly' click on a malicious URL, please give your condolences, chances are your account has been hacked. This is a new kind of malicious link, created in a special way to allow an attacker to hack your Facebook account without any further interaction.
Recently, specifically last month a security researcher discovered a serious security vulnerability involving cross-site protection (CSRF) features that are particularly dangerous. in some of the most popular social networking platforms (mostly Facebook), and can allow an attacker to hijack a victim's Facebook account by tricking them into clicking on a malicious link.
- Hackers use banks as a starting point for phishing attacks
More specifically, the well-known security researcher nicknamed "Samm0uda" found this flaw after he discovered a mistake in the endpoint (facebook.com/comet/dialog_DONOTUSE/) that could be exploited. cascade to overcome CSRF protection and hijack the victim's account. In addition, according to the security researcher, the end point under the main domain www.facebook.com is also an element that helps attackers easily trick their victims into accessing that malicious URL.
In short, all the attackers need to do is trick the victims into clicking on a specially crafted Facebook URL, as mentioned above. This link is designed to perform many actions such as posting any information on their timeline, changing or deleting avatars and even tricking users into deleting all important information on the account. my Facebook account.
Taking complete control of the victim's account, or tricking them into deleting their entire Facebook account will require a little extra effort from the attacker, because the victim needs to enter the password to confirm it first. when deleting account.
To do this, the researcher said the hacker will ask the victim to access two separate URLs, one to add emails or phone numbers and one to confirm the information.
That's "because the 'normal' endpoints used to add emails or phone numbers will not have the 'next' parameter to redirect users after the request is successfully executed," said Samm0uda's nickname. .
- What can organizations do to protect themselves from cyber attacks?
However, this researcher can still take the account takeover with just one URL by finding endpoints with 'next' parameters and authorizing a malicious application on behalf of the victim and getting the code Report their Facebook access.
Once you have access to the victim's token, the email address controlled by the attacker will be automatically added to their account, allowing the attacker to hijack the account completely. How to reset your password and 'kick' legitimate users out of their Facebook accounts.
Such account hijacking attacks can be partially prevented if you have enabled two-factor authentication for your Facebook account, preventing hackers from logging in to your account until or unless They find the 6-digit code sent to your mobile device.
However, once your account has been hacked, there is no way to prevent hackers from taking some action on your behalf to take advantage of this vulnerability, such as changing or deleting the avatar, deleting the photo album. Or post anything on your timeline.
- Use an 8-character Windows NTLM password? Congratulations, your password may be unlocked after only 2.5 hours
Samm0uda reported this security vulnerability, along with details of his exploit steps on Facebook on January 26. This huge social networking site acknowledged the problem and resolved it on January 31, and rewarded the researcher $ 25,000 as part of Facebook's error detection bonus program.
You should read it
- 4 ways to hack Facebook you should know to protect your Facebook account
- Warning: The new Facebook virus, a malicious code that is spreading rapidly through Messenger
- How to prevent .SVG images containing new malware on Facebook
- How to prevent malicious blackmail JPG code via Facebook Messenger
- Hackers claim to hack Mark Zuckerberg's Facebook on Sunday, will live stream for the whole world to see
- How to fix Facebook catch virus scan, tell the computer to be infected with malware
- How to identify an unauthorized login IP address of your Facebook account
- The way Facebook checks out is revealed in the September 2018 hack
- Discover a software stealing Facebook account on the phone developed by Vietnamese hackers
- 3 'Scanners' for viruses and malware for Facebook
- How to retrieve a hacked Facebook account
- How to fix when Facebook is infected with virus
Maybe you are interested
How to retrieve Facebook password, recover latest account
How to contact Facebook account support
390,000 WordPress Accounts Stolen in Large-Scale Attack
The simplest way to get back your Roblox account when you forget your password
3 Ways to delete Apple ID account on iPhone, iPad
How to delete TikTok account permanently on phone