Showing posts with label Facebook. Show all posts
Facebook Cookie Stealing And Session Hijacking
Defination:
The cookie which facebook uses to authenticate it's users is called "Datr", If an attacker can get hold of your authentication cookies, All he needs to do is to inject those cookies in his browser and he will gain access to your account. This is how a facebook authentication cookie looks like:
The cookie which facebook uses to authenticate it's users is called "Datr", If an attacker can get hold of your authentication cookies, All he needs to do is to inject those cookies in his browser and he will gain access to your account. This is how a facebook authentication cookie looks like:
Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc;
How To Steal Facebook Session Cookies
And Hijack An Account?
An attacker can use variety of methods in order to steal your facebook authentication cookies depending upon the network he is on, If an attacker is on a hub based network he would just sniff traffic with any packet sniffer and gain access to victims account.
If an attacker is on a Switch based network he would use an ARP Poisoning request to capture authentication cookies, If an attacker is on a wireless network he just needs to use a simple tool called firesheep in order to capture authentication cookie and gain access to victims account.
In the example below I will be explaining how an attacker can capture your authentication cookies and hack your facebook account with wireshark.
- 1- First of all download wireshark from the official website and install it.
- 2-Next open up wireshark click on analyze and then click on interfaces.
- 3-Next choose the appropriate interface and click on start.
- 4 - After 10minutes stop the packet sniffing by going to the capture menu and clicking on Stop.
- 5- Next set the filter to http.cookie contains “datr” at top left, This filter will search for all the httpcookies with the name datr, And datr as we know is the name of the facebook authentication cookie.
- 6- Next right click on it and goto Copy - Bytes - Printable Text only.
- 7- Next you’ll want to open up firefox. You’ll need both Greasemonkey and thecookieinjector script. Now open up Facebook.com and make sure that you are not logged in.
- 8- Press Alt C to bring up the cookie injector, Simply paste in the cookie value into it.
- 4 - After 10minutes stop the packet sniffing by going to the capture menu and clicking on Stop.
- 5- Next set the filter to http.cookie contains “datr” at top left, This filter will search for all the httpcookies with the name datr, And datr as we know is the name of the facebook authentication cookie.
- 6- Next right click on it and goto Copy - Bytes - Printable Text only.
- 7- Next you’ll want to open up firefox. You’ll need both Greasemonkey and thecookieinjector script. Now open up Facebook.com and make sure that you are not logged in.
- 8- Press Alt C to bring up the cookie injector, Simply paste in the cookie value into it.
- 10.- Now refresh your page and viola you are logged in to the victims facebook account.
- Note: This Attack will only work if victim is on a http:// connection and even on https:// if end to end encryption is not enabled.
Countermeasures:
The best way to protect yourself against a session hijacking attack is to use https:// connection each and every time you login to your Facebook, Gmail, Hotmail or any other email account. As your cookies would be encrypted so even if an attacker manages to capture your session cookies he won't be able to do any thing with your cookies.
Facebook Faces Class Action Lawsuit For.....
Facebook Faces Class Action Lawsuit For Alleged Interception Of Private Messages To Provide Data To Marketers.
Facebook (NASDAQ:FB) has become the latest Internet company to be sued by users for intercepting private messages and sharing the data with marketers for profit.
A lawsuit, filed Monday in U.S. District Court for the Northern District of California, claims that Facebook systematically scans users’ private messages and reads URLs shared through messages by intentionally intercepting electronic communications, adding that, by doing so the social networking giant has violated the Electronic Communications Privacy Act and California's privacy laws.
"Representing to users that the content of Facebook messages is "private" creates an especially profitable opportunity for Facebook," the complaint said, adding that by giving an impression that its free message service is free from surveillance, Facebook is misleading its users into giving information that they might not have shared if it was known that they would be intercepted.
“This practice is not done to facilitate the transmission of users’ communications via Facebook, but because it enables Facebook to mine user data and profit from those data by sharing them with third parties – namely, advertisers, marketers, and other data aggregators,” the complaint stated.
Facebook (NASDAQ:FB) has become the latest Internet company to be sued by users for intercepting private messages and sharing the data with marketers for profit.
A lawsuit, filed Monday in U.S. District Court for the Northern District of California, claims that Facebook systematically scans users’ private messages and reads URLs shared through messages by intentionally intercepting electronic communications, adding that, by doing so the social networking giant has violated the Electronic Communications Privacy Act and California's privacy laws.
"Representing to users that the content of Facebook messages is "private" creates an especially profitable opportunity for Facebook," the complaint said, adding that by giving an impression that its free message service is free from surveillance, Facebook is misleading its users into giving information that they might not have shared if it was known that they would be intercepted.
“This practice is not done to facilitate the transmission of users’ communications via Facebook, but because it enables Facebook to mine user data and profit from those data by sharing them with third parties – namely, advertisers, marketers, and other data aggregators,” the complaint stated.
