New Utility Allows You to Control Facebook Accounts Without the Password

FBConTroller v2.0 was released late yesterday.  As the author clearly states, FBController does not, nor can it, hack into a Facebook account.  What it CAN do though is to control a Facebook account (write on one’s own wall, others wall, retrieve profile page, retrieve friends list and even attempts to retrieve inbox and send messages) without having to have the password for the account.  Instead of the password, it simply needs the Facebook cookie values for an account.  As we discussed in my #heweb presentation, once you identify a Cross-Site Scripting (XSS) vulnerability, it is simple a matter to capture a victim’s cookies.  As theharmonyguy pointed out last month in his Month of Facebook Bugs, a huge number (9700) of Facebook applications are riddled with security holes, with XSS being the most common.

Armed with the list of vulnerable Facebook applications, and FBConTroller, an attacker can potentially harvest a huge number of Facebook cookies. From there s/he could spam the accounts users/friends, sending them links to other compromised sites or to download malware.  If you are an admin of your University’s Facebook page/group, be very paranoid about which facebook applications you use, or simply don’t use any at all.

cc New Utility Allows You to Control Facebook Accounts Without the PasswordPhoto by Aaron Landry

  1. Email Management: 10 Rules For Taking Back Control of Your Inbox
  2. University Twitter Accounts: Spring Cleaning
  3. Setting Up Webmaster Tool Accounts

This post was written by 

The content of this post is licensed: ©2009 All Rights Reserved

EduGuru
EduGuru
October 21, 2010
Snapchat Self-Serve Advertising for Colleges and Universities EDU Update: Facebook Messenger Ads 7 Edtech Companies Supporting Student Success

Back to all Blogs