• On MovieTome: See the villain of IRON MAN 2!

Security

Read all 'cookies' posts in Security
May 6, 2009 1:56 PM PDT

FBController allows for hijacking of Facebook accounts

by Elinor Mills
  • 7 comments
Share

Azim Poonawala, aka QuakerDoomer, author of FBController.

(Credit: Azim Poonawala)

A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers' Facebook accounts if they can get hold of the targets' session cookies. It also could be used to manage large quantities of hijacked accounts.

FBController analyzes the communications that Facebook has with computers when they interact with the site and uses that information, along with the cookie data, to allow for accounts to be hijacked, said 26-year-old Azim Poonawala, who wrote the tool and provides details on his blog.

Cookies, meanwhile, can be obtained using network sniffing, cross-site scripting exploits, social engineering, and via open proxies where cookies are logged, he said in a recent interview over chat.

Poonawala, who goes by the alias "Quaker Doomer," said he wrote the tool as a proof of concept and because "writing network-related gray hat tools has always been an adrenalin rush."

Jeremiah Grossman, chief technology officer of WhiteHat Security, said he believed the purpose of the tool is to manage control over large numbers of accounts rather than merely hijack accounts one at a time.

"This is much easier than using a browser to log in and modify accounts individually," Grossman said in an e-mail. "The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access."

Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm's ability to detect potentially malicious behavior.

"We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others," Schnitt said. "Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier." Poonawala said his intention in creating FBController was not to allow control of multiple accounts, although "it can definitely be misused by bad guys to achieve that since it is free."

This is a shot of an FBController screen.

(Credit: Azim Poonawala)

Topics:
Vulnerabilities and attacks
Tags:
Facebook,
FBController,
hijack,
cookies,
Facebook security
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

The yogurt makers of tech: Gadgets to avoid

Don't buy these one-trick ponies--unless you like gizmos that gather dust.

Google wants to unclog Net's DNS plumbing

The Net giant, ever eager for a faster Internet, debuts its Google Public DNS service. With it, Google could become even more central to the Net.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET