FBController allows for hijacking of Facebook accounts

Azim Poonawala, aka QuakerDoomer, author of FBController.

(Credit: Azim Poonawala)

A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers' Facebook accounts if they can get hold of the targets' session cookies. It also could be used to manage large quantities of hijacked accounts.

FBController analyzes the communications that Facebook has with computers when they interact with the site and uses that information, along with the cookie data, to allow for accounts to be hijacked, said 26-year-old Azim Poonawala, who wrote the tool and provides details on his blog.

Cookies, meanwhile, can be obtained using network sniffing, cross-site scripting exploits, social engineering, and via open proxies where cookies are logged, he said in a recent interview over chat.

Poonawala, who goes by the alias "Quaker Doomer," said he wrote the tool as a proof of concept and because "writing network-related gray hat tools has always been an adrenalin rush."

Jeremiah Grossman, chief technology officer of WhiteHat Security, said he believed the purpose of the tool is to manage control over large numbers of accounts rather than merely hijack accounts one at a time.

"This is much easier than using a browser to log in and modify accounts individually," Grossman said in an e-mail. "The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access."

Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm's ability to detect potentially malicious behavior.

"We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others," Schnitt said. "Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier." Poonawala said his intention in creating FBController was not to allow control of multiple accounts, although "it can definitely be misused by bad guys to achieve that since it is free."

This is a shot of an FBController screen.

(Credit: Azim Poonawala)

[Eddie-c]

"It's an adrenalin rush". What an idiot.

[amber0728]

Azim must translate into 'Tool'

[SeizeCTRL]

Well at least he isn't answering a phone at a call center ;) There is a certain thrill for figuring out things like this. It's been at least 15 years since I used to tinker around with the whole hacking/phreaking stuff, but I can see where he is coming from.

[shootfirst]

What do you think he is doing while he is reading off the script in the call center. Also who cares about a compromised facebook account, I don't even see why we should be concerned. Only an idiot uses facebook for something either than a few laughs and to meet guys pretending to be girls so who really cares, least it isn't something important like twitter.

[fun2program8]

Congrats to the guy for revealing more security flaws before the bad guys get to them. Now Facebook is going to be twice as motivated to fix the bugs before real "crackers" get their hands on a FBController+virus utility.

[Harrison912]

As a web site owner of safety and security products using FaceBook as one of my social marketing venues, this is a bit disturbing but it sounds like FaceBook has it under control. Thanks, Elinor, for this information.

[royc]

this says 6 comments but none can be read.

can anyone read this one???

This story makes me glad I don't have a FB account. :(