close

Facebook

CSRF vulnerability in Facebook allows attackers to hijack accounts with a single click

CSRF vulnerability in Facebook allows attackers to hijack accounts with a single click

Facebook pays $25,000 to security researcher for discovering CSRF exploit that leads to stealing accounts

A security researcher discovered a fatal cross-site request forgery (CSRF) vulnerability that would allow hackers to takeover Facebook accounts by simply forcing the victim to click on the malicious link.

The cybersecurity expert who goes by the pseudonym “Samm0uda” discovered a vulnerability after noticing an exposed endpoint (facebook.com/comet/dialog_DONOTUSE/), which could be exploited to bypass the CSRF protections and perform various actions on behalf of the victim.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL,” the researcher says on his blog.

“The vulnerable endpoint is:
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”

The researcher discovered that through the bug it was not only possible to post on the timeline of targeted Facebook users’ accounts, but also delete their profile images and trick them into deleting their accounts. In the latter case, for a successful attack, the attacker will need to force the user to enter his password.

The flaw could have also been exploited to take control of an account using requests that would change the email address or mobile number related to the victim’s account. If an attacker is successful in adding his email address or phone number, he can use the password reset function to set a new password and block the original owner from accessing the account.

This would require some effort on the part of the attacker to exploit the vulnerability, as he will need to force the user to follow two separate links – one to add the email or phone number and another one to confirm it. However, the expert was able to create a single URL link that allowed him to obtain the access token of the victims.

Samm0uda informed about his findings to Facebook on January 26, 2019. The social media giant acknowledged the issue and fixed the problem on January 31, 2019. Facebook awarded a $25,000 bounty to the researcher as part of the company’s bug bounty program.

You can read more about Samm0uda’s findings here.

read more

Facebook could be hit with a record settling multi-billion dollar fine from the FTC for privacy violation

Facebook Is Negotiating A Multi-Billion Dollar Fine

Facebook is negotiating a multi-billion dollar fine with the FTC over privacy probe

Facebook could be slapped a multi-billion dollar fine from the FTC (Federal Trade Commission) over recent privacy lapses, according to a report from The Washington Post. The FTC has been investigating into Facebook’s privacy and security-violating practices related to the leaking of data of Facebook users to Cambridge Analytica last year.

For those unaware, Cambridge Analytica and Facebook were involved in a privacy scandal wherein the former had illegally lifted data of millions of Facebook users without their knowledge and consent and used it to influence voter trends in several countries. Facebook allowed thousands of app developers to harvest data through third-party online games and quizzes and then used it to target American voters with emotionally specific messaging. Facebook believes that as many as 87 million users’ personal data have been collected without their permission.

According to The Washington Post, Facebook and the FTC are negotiating a “multi-billion dollar” fine for the social networking giant’s privacy violations. However, the two sides haven’t agreed on an amount, as Facebook has allegedly disputed some of the FTC’s stipulations, The Washington Post said citing two unnamed sources.

Currently, the issue is whether Facebook is in violation of a 2011 consent agreement with the FTC, which required the social network to have a “comprehensive privacy program” and to get the “express consent” of users before sharing their data.

The fine imposed for privacy lapses on Facebook could be the largest ever for a tech company. Previous largest-ever FTC fines imposed on a tech firm was the $22.5 million penalty that Google was made to pay for violating an earlier privacy agreement with the agency. 

Both Facebook and the FTC have declined to comment on the issue.

read more

Facebook to become world’s biggest ‘virtual graveyard’ by the end of this century

Facebook to become world’s biggest virtual graveyard

Have you kept your digital will ready, as about 8,000 Facebook users die daily

Facebook will have more profiles of dead people than those of alive users by the end of this century. The social media giant, which currently has over 2 billion users worldwide, is set to become the world’s ‘biggest virtual graveyard’ by 2098, as nearly 8,000 Facebook users die every day.

Currently, when a user dies on Facebook, it refuses to delete dead users automatically and instead turns the account into a “memorialized” version. The only way that one can delete the account of a dead person is for someone to log in with the password and close it down. However, those accounts that are handled by someone else continues to remain on the site.

In such a scenario, what happens to our digital possessions once we die? Basically, these situations should make digital platforms realize the need to transfer digital assets, such as personal photos, videos and friendly posts to the family once a Facebook user is no more.

“When someone dies leaving behind his email and social media accounts, the same are movable property and that being so, any heirs of the concerned person can seek right to access the same,” says Pavan Duggal, one of the nation’s top cyberlaw experts.

Facebook allows users to appoint a “Legacy Contact” before they die, which can either be a family member or a friend. “Once someone lets us know that a person has passed away, we will memorialize the account,” says Facebook.

Once the user passes away, the legacy contact can manage the page by writing a post to display at the top of the memorialized Timeline. The contact can even approve new friend requests, update cover and profile photo. If one wants, he or she may give legacy contact permission to download an archive of the photos, videos, wall posts, profile and contact info, friends list, and events they shared on Facebook.

However, the legacy contact, will not be able to log in as the deceased user or read that person’s private messages, or remove any of his or her friends or make new friend requests. Alternatively, one can notify Facebook about the member’s death and request for the account to be permanently deleted.

A “digital heir” can keep precious social media moments of the deceased and gift those to future generations via tools such as an external hard disk, Cloud storage, pen drive or DVDs. The said heirs can ask the digital/social media companies to get access after giving the necessary proof.

“Invariably, the service provider may not be inclined to give such access without any requisite order from the court of competent jurisdiction. This could mean getting a succession certificate from a court of competent jurisdiction which could be a time-consuming process,” Duggal told IANS.

Besides Facebook, several social media platforms, such as Twitter, Instagram, WhatsApp, Snapchat, YouTube, Reddit and others too have millions of users.

For instance, Google, owner of Gmail, YouTube and Picasa web albums, has an “Inactive Account Manager” feature that allows you to inform Google what to do with your data after you pass away, whether you want to share it with family and friends or delete it altogether.

It allows a user to propose who has access to his or her information. If a user’s account has been inactive for a while, their accounts can be deleted or shared with a nominated person.

According to Twitter, “In the event of the death of a Twitter user, we can work with a person authorized to act on behalf of the estate or with a verified immediate family member of the deceased to have an account deactivated.”

However, Twitter says that “we are unable to provide account access to anyone regardless of his or her relationship to the deceased”.

Instagram too like Facebook memorializes accounts. However, they cannot be changed and no one can log into the profile. It instead asks the deceased user’s friends and relatives to get in touch with them via email and notify them that the user is no more and submit proof of death. On the other hand, Apple iCloud and iTunes accounts are “non-transferable”, which means that when a user is no more, any rights to information to his or her account cease.

read more

Facebook to integrate Whatsapp, Messenger and Instagram

Message between facebook, whatsapp, and instagram simultaneously

Don’t own any Facebook or WhatsApp account? no worries!


Mark Zuckerberg the chief executive of Facebook, plans to integrate the messaging service of various social networking platforms such as WhatsApp, Facebook Messenger, and Instagram.

This move is planned to establish his control over the company’s sprawling divisions.

It was necessary because “in past” it was clearly evident by the fact that the company’s business has been thumped by scandals.

The move is described by four people involved in the effort requires thousands of Facebook employees to reconfigure how WhatsApp, Instagram and Facebook Messenger function at their most basic levels.

Though all the three services will continue operating as stand-alone apps.

Zuckerberg also assured all of the apps to incorporate end-to-end encryption. This will protect messages from being viewed by anyone except the participants in the conversation.

After the changes take place, a Facebook user could be able to send an encrypted message to someone who has only a WhatsApp account.

Currently, it isn’t possible because the apps are separate.

But stitching the apps’ infrastructure together, Zuckerberg wants to increase the utility of the social network, keeping its billions of users highly engaged inside its ecosystem.

You can say this move is copied by another big tech company Apple.inc, as this company also had this strategy, in order to eliminate its competitors.

If users interact more frequently with Facebook’s apps, the company may also be able to build up its advertising business (which is the main source of their income) or add new services to make money, they said.

In a statement, Facebook said it wanted to “build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private.” It added: “We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks.”

Summing up the whole hard effort to be taken by Facebook soon in the future.

Stay tuned for more such stories.

read more

Facebook and Airbus working on solar-powered drones connectivity project

Facebook and Airbus working on solar-powered drones

Facebook and Airbus plan to test solar-powered drones to connect remote areas to the internet

The social media giant, Facebook and aircraft manufacturer, Airbus have collaborated to work on a new drone connectivity project in Australia to beam internet access to remote areas, reports Germany’s Netzpolitik.

For those unaware, Facebook had halted its own solar-powered internet drone project, Aquila last June after years of development. Back then, the company had said that it would no longer build the drones. However, it added that it was still committed to the original goal of bringing more people online and for that it would instead depend on other companies to build aircraft.

According to the documents obtained by Netzpolitik under the Australian Freedom of Information Act, show that both the companies plan to test the solar-powered drones in Australian territory. It is learnt that Airbus met with the Australian Civil Aviation Safety Authority (CASA) between March and September last year at least 18 times to obtain approval for the tests. The company was finally given a drone operator certificate on September 19, 2018.

The documents suggest that it was planned to make flights with these drones in November and December 2018, and the tests were scheduled to take place in Wyndham airfield in Western Australia. Further, the payload for the drone was to be provided by Facebook. However, it is unclear if any flights have taken place yet. According to the minutes, delays in previous tests had prevented the tests.

The trials reportedly involved the use of Airbus’ Zephyr drone, a model that is designed for “defense, humanitarian and environmental missions.” Zephyr drone was developed by Airbus with the aim to provide internet to the Earth’s surface from about 30 kilometers high (stratosphere).

“We continue to work with partners on High Altitude Platform System (HAPS) connectivity. We don’t have further details to share at this time,” a Facebook spokesperson told NetzPolitik.

Both Facebook and Airbus have declined to provide any further details. However, it is clear that Facebook through its projects is aiming to increase internet access worldwide, particularly in developing regions such as Asia, Africa, and Latin America, and also in remote areas. It is also trying to make internet service available at much more affordable prices by using software and existing infrastructure.

read more

Facebook is secretly working on a new meme hub app ‘LOL’ for teens

Facebook is working on a new meme hub app

Facebook secretly testing a meme hub app called ‘LOL’ to win teens over

Facebook is trying every possible means to woo back its lost audience of teenage smartphone users from other social platforms such as Snapchat, Instagram, YouTube, and TikTok.

After working on dating app, the social media giant is now developing another app dubbed as ‘LOL’. This new platform is designed as a “special feed of funny videos and GIF-like clips” using content “pulled from News Feed posts by top meme Pages on Facebook,” according to a new report from TechCrunch.

“We are running a small scale test and the concept is in the early stages right now,” a Facebook spokesperson confirmed to TechCrunch.

The content will be divided into categories like “For You”, “Animals”, “Fails” and “Pranks”. Further, users will be able to choose from three reactions: “Funny,” “Alright,” or “Not Funny” that would appear under each meme.

Currently, around 100 high school students in the U.S. with their parents’ consent are testing the LOL app, and are apparently giving their feedback to Facebook engineers.

“‘LOL’ is currently in private beta with around 100 high school students who signed non-disclosure agreements with parental consent to do focus groups and one-on-one testing with Facebook staff,” said the report.

Those testing private beta say that LOL is slightly “cringey” and that it feels like Facebook is trying unsuccessfully to stay young.

According to TechCrunch, LOL is presently being tested as a replacement for Facebook Watch. It is currently unclear if “LOL” will become a standalone app or be available in the main Facebook app.

This is not the first time that Facebook has tried to lure the younger audience with its apps. In 2014, Facebook had launched a Snapchat clone app ‘Slingshot’, which was has since been abandoned. In late 2018, the company introduced ‘Lasso’, a stand-alone music app to rival popular short-video social network, TikTok, which is apparently still working.

read more

Facebook open sources Spectrum for efficient uploading of images

Facebook launches open-sourced Spectrum

Facebook launches open-sourced Spectrum for better mobile image production

Facebook has officially released an open source tool to the developer community to make the process of uploading images more efficient.

Dubbed as “Spectrum”, this tool is a cross-platform image transcoding library that can easily be integrated into an Android or iOS project to efficiently perform common image operations. It aims to improve the reliability and quality of image uploads while reducing image uploading time and mobile data consumption.

“As modern smartphones capture high-resolution images, the large file size makes uploads unreliable on some mobile networks. Sending it at full resolution is often wasteful, as the content delivery network (CDN) will resize the image for the recipient anyway,” said Facebook mobile software engineer Daniel Hugenroth.

“Resizing the image on the sender’s device reduces the bandwidth required to send the image. As a result, the entire pipeline has minimal payload overhead, improving the end-to-end experience. The remaining challenge is how to maintain image quality while benefiting from the smaller file.”

Spectrum uses a “declarative” API that allows developers to focus on the desired output properties instead of the individual steps. It prefers a lossless operation for cropping and rotating JPEG images, while in resizing it “optimizes the interplay between decoder sampling and pixel-perfect resizing.” It also uses C/C++ code for higher performance with Java and Objective-C wrapper APIs to make development easier.

Spectrum integrates with native image compression libraries, including MozJpeg, that allows to control encoding parameters beyond the general-purpose platform APIs. It allows developers to utilize computationally intensive encoding, which requires more processing time but significantly reduces the file size. Additionally, it enables control over more advanced parameters such as chroma subsampling to improve the quality of images with sharp edges and illustrations.

“The consistent API makes these features accessible to developers who are not image experts,” Hugenroth added.

“We hope Spectrum will benefit developers in the same way it has helped Facebook create a better image production experience. In our apps, Spectrum has improved the reliability and quality of image uploads at large scale across our apps. The default integration with Mozilla JPEG allows a reduction of up to 15 percent in upload file size compared with a baseline encoder. We are excited to see how the community uses the Spectrum 1.0.0 library to improve the photo experiences in applications.”

The open source project ‘Spectrum 1.0.0’ is now available on GitHub code repository.

read more

Facebook bug exposed unposted photos of 6.8 million users

Facebook bug exposed unposted photos of 6.8 million users

Facebook accidentally exposed 6.8 million users’ private photos to developers

Facebook on Friday disclosed a data breach that may have exposed unposted photos of as many as 6.8 million users.

According to the company’s developer blog, a photo API bug accidentally gave hundreds of third-party apps unauthorized access to photos of as many as 6.8 million users during a 12 days period between September 13 and 25. It is believed that up to 1,500 apps built by 876 developers may have been affected by the bug.

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” engineering director Tomer Bar said in a message to developers.

“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”

Apparently, the bug inadvertently also gave third-party apps access to photos that were not shared on timelines, for example, if someone uploads a photo to Facebook but doesn’t finish posting it, Bar added.

“We store a copy of that photo so the person has it when they come back to the app to complete their post,” he said.

Bar added that potentially affected Facebook users will get a Facebook notification, which will direct them to a Help Center link where they will be able to see if they have used any apps that were affected by the bug.

“We’re sorry this happened,” Bar said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

Bar also suggested that users should log into any apps with which they have shared their Facebook photos to find out if they have access to photos they shouldn’t.

Besides the Facebook photo API bug discovered in September, the social networking giant was also hit by another data breach the same month where data of some 30 million users were exposed to hackers as a result of a flaw in Facebook’s ‘View As’ feature.

read more

UK Parliament Seizes Facebook’s Internal Documents

UK Parliament Seizes Facebook’s Internal Documents

Facebook’s internal documents seized by the UK Parliament to investigate privacy practices

As a part of an investigation into the Cambridge Analytica scandal, the UK Parliament has used its legal powers to seize a cache of internal Facebook documents, according to The Observer, which first reported the story.

It is alleged that the documents contain significant revelations about Facebook decisions on data and privacy controls that caused the Cambridge Analytica scandal, including correspondence between Facebook CEO Mark Zuckerberg and company executives.

Damian Collins, chairman of the Commons Digital, Culture, Media and Sport (DCMS) Committee used a rare parliamentary mechanism and compelled Ted Kramer, the founder of Six4Three, a US app software company, to hand over the documents who was on a business trip in London last week.

Kramer was given a final warning and a two-hour deadline to comply with the order sent along with a serjeant at arms.

When Kramer failed to produce these documents within the prescribed two-hour deadline, he was escorted to Parliament warned that he could face possible fines or imprisonment.

“We are in uncharted territory. This is an unprecedented move but it’s an unprecedented situation. We’ve failed to get answers from Facebook and we believe the documents contain information of very high public interest,” Collins said.

“We have very serious questions for Facebook. It misled us about Russian involvement on the platform. And it has not answered our questions about who knew what, when with regards to the Cambridge Analytica scandal.

“We have followed this court case in America and we believed these documents contained answers to some of the questions we have been seeking about the use of data, especially by external developers.”

Apparently, the company Six4Three is involved in a legal case against Facebook in the U.S., where the documents were obtained through legal procedures. The company had invested $250,000 in Facebook and claims that the media giant exploited its privacy policy.

The social networking giant has asked the DCMS committee to refrain from reviewing those documents, as they are subject to a protective order in the U.S.

“The materials obtained by the DCMS committee are subject to a protective order of the San Mateo Superior Court restricting their disclosure,” Facebook told the Observer.

“We have asked the DCMS committee to refrain from reviewing them and to return them to counsel or to Facebook. We have no further comment.”

Apparently, since the files are subject to an order of the California superior court, they cannot be made public in the U.S.

However, since the summons was issued in the UK, where Parliament has superiority, the Six4Three founder was obliged to hand over the documents. It is believed that the founder has informed both Facebook and the Californian court in the US.

read more

Hack Facebook or Instagram accounts and get paid up to $40,000

Hack Facebook or Instagram accounts and get paid up to $40,000

Facebook to pay up to $40,000 for finding ways to hack Facebook or Instagram accounts

Facebook has been going through a rough patch this year after suffering two severe security breaches that affected millions of its users.

While every year, Facebook pays millions of dollars to researchers and bug hunters to find security holes in its products and organization, it is still facing security breaches. Facebook has been running its Bug Bounty program since 2011.

Now, in order to step up its efforts to tighten the security of the platform, Facebook on Tuesday announced in a post that it has increased the average payout for account takeover vulnerabilities so as “to encourage security researchers to work on finding high-impact issues”.

The announcement further read, “The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or
* $25,000 if minimum user interaction is required.

“This change applies to all products owned by Facebook, including Instagram, WhatsApp, and Oculus.

“Further, we will not require a full exploit chain in cases where leveraging the vulnerability requires bypassing our Linkshim mechanism.

“While monetary reward may not be the strongest incentive for why bug bounty researchers hack, we believe it remains a strong motivator for our white hat researchers to invest time in helping us identify and mitigate vulnerabilities. We encourage researchers to share their proof of concept reports with us without having to also discover bypasses for Facebook defense mechanisms.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high-quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.”

For those unaware, earlier this year, it was the Facebook–Cambridge Analytica data scandal where the personal information of 87 million Facebook users was harvested by Cambridge Analytica without their consent and used for political purposes.

Later, in September this year, Facebook discovered a major security issue that allowed hackers to access information, which could allow them to take over around 50 million accounts.

Source: Facebook 

read more