Information Security Blog | Cyber Security Blog

Sreejith C

Information Security Blog | Cyber Security Blog
Read More

Instant messaging is a blessing and a curse. It’s a convenient way to keep in touch with friends from all over the world but it also means whatever you say will stay online forever. You can’t exactly erase anything you regret sending, especially not from the receiver’s end. Or can you? Researchers from security vendor Check Point found a way to do so through a vulnerability on Facebook’s popular Messenger app.

How many times have you said something stupid, be it carelessly or in a fit of rage, over a message online that you regretted almost instantly after pressing the send button? You desperately want to retract it, but you can’t. Even if you delete it off your own chat log, the recipient still has it on their chat history. There’s really no way to erase a sent message on your own on most if not all online chatting apps and Facebook Messenger is no exception.

But researchers at Check Point found a vulnerability that could let someone do this. According to the company, the security flaw gives attackers a way to change conversation threads on Facebook Online Chat and Messenger App. You can modify or remove any sent messages, photos and files from somebody’s chat history.

Having said that, if you’ve had foot-in-mouth and really hurt someone with your words, it’s probably not wise to hack their account to wipe away the evidence.

From a more practical perspective, considering Facebook wants to turn Messenger into a serious business tool, this could give attackers incentive to exploit these types of security flaws. According to Check Point, here are some potential scenarios:

  • Malicious users can manipulate message history as part of fraud campaigns. A malicious actor can change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
  • Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.
  • The vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.
Read More

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.

Remote code execution bug was possible due to two weaknesses: The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like change me, instagram, password) in just a few minutes.

Read More

Social media giant Facebook has paid a $10,000 reward to a 10-year-old Finnish boy for finding a glitch in its picture sharing app Instagram.

Jani, whose last name was not released for privacy reasons, is the youngest ever recipient of Facebook's "bug bounty", paid to users who find bugs or weakness in its platforms.

"I wanted to see if Instagram's comment field could stand malicious code. Turns out it couldn't," Jani told Finland's 
Iltalehti newspaper.

Facebook said the glitch was fixed in February and the reward was paid in March.

Jani, who is still too young to have a Facebook or Instagram account of his own, said he learned coding from Youtube videos and found a way to delete user comments from Instagram accounts.

"I could have deleted anyone's comments from there. Even Justin Bieber's," he told Iltalehti.

He said he was thinking about a career in data security, but for now his plans include buying a new bike and a football with his reward money.

Read More

Facebook is in trouble once again regarding its users' privacy.

  Facebook is facing a class-action lawsuit in Northern California over allegations that the company systematically scans its users' private messages on the social network without their consent and makes the profit by sharing the data with advertisers and marketers.

  According to the lawsuit filing, Facebook might have violated federal privacy laws by scanning users' private messages.

  Facebook routinely scans the URLs within users' private messages for several purposes like anti-malware protection and industry-standard searches for child pornography, but it has been claimed that the company is also using this data for advertising and other user-targeting services.

   Also Read: Google to Face a Record $3.4 Billion AntiTrust Fine in Europe

   The plaintiffs, Matthew Campbell, and Michael Hurley argue that the Facebook is scanning and collecting URLs-related data in a searchable form, violating both the Electronic Communications Privacy Act and California Invasion of Privacy Act, reported the Verge.

  Facebook argues that the company scans users' private messages in bulk, and maintains the URL records in an anonymized way, which is only used in aggregate form.

  However, according to a technical analysis done on behalf of the plaintiffs, each URL-related message is stored in "Titan," a private message database that displays the date and time the message was sent, along with the user IDs of both the sender and the recipient.

  However, it turns out that Facebook used this practice in past, but the company claimed to have stopped such practices a long time ago.

   "We agree with the court's finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis," a Facebook spokesperson told CNET.

  "The remaining claims relate to historical practices that are entirely lawful, and we look forward to resolving those claims on the merits."

  However according to the plaintiffs, Facebook is still continuing to collect links from users' private messages.

  "Facebook's source code not only reveals that Facebook continues to acquire URL content from private messages, but that it also continues to make use of the content it acquires."

   Meanwhile, you can check out the lawsuit here. The lawsuit was originally filed in 2012 and for now, the case is expected to proceed.

  Plaintiffs have until June 8 to file an amended complaint, following a scheduled conference toward the end of the month.