Skip to main content

Posts

Showing posts from January, 2014

Hacking Facebook Connect

TL;DR  Every website with "Connect Facebook account and log in with it" is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don't think these will be fixed, as I've heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues. I understand the business reasons why they might choose so, but from my perspective when you have to choose between security and compatibility, the former is the right bet. Let me quickly describe what these bugs are and how you can protect your websites. CSRF on facebook.com login to hijack your identity. It's higher level  Most-Common-OAuth-Vulnerability  (we attached Attacker's Social Account to Victim's Client Account) but here even Clients using "st

Twitter Increase Followers Hack

It seems, there is a bug in twitter’s web application. The bug allows anyone to increase their followers count. This can be achieved by performing the following steps: Login with any twitter account, other than the account whose followers need to be increased. Go to the twitter account page whose followers need to be increased.         ( twitter.com/handle ) Continuously click on the follow button beneath the twitter header image. Clicking takes a lot of time, so I used the following script to generate click events. setInterval(function(){ $(".user-actions-follow-button").click(); },10); Now, instead of doing step 3, open up the javascript console in any browser, and execute the above script. You will see that the followers count starts increasing. The followers increase until the daily follow limit is reached. Now you may check that account from your phone or any other browser, and the followers count would have increased. The changes in the co

Google Alert - White Hackers

News 1 new result for White Hackers Is now the time to invest in cyber security? Fox Business IT'S INTERESTING JOHN MENTIONED THE WHITE HAT HACKERS AND MENTIONED LAW ENFORCEMENT AND WE TALK ABOUT THE FACT  ... See all stories on this topic » Unsubscribe from this alert. Create another alert. Manage your alerts.

Google Alert - White Hackers

News 10 new results for White Hackers Can Snapchat Recover from Hack Attack? Fox Business Just one week after being warned of its vulnerabilities by a group of white -hat hackers , Snapchat found itself the target of an attack. Late Tuesday, 4.6  ... See all stories on this topic » Sydney Morning Herald Hackers Attack Snapchat To "Raise Awareness" About Security Fast Company "Security matters as much as user experience," say the white -hatted hackers , who are hoping their actions will force Snapchat to fix the hole. By Addy  ... See all stories on this topic » Fast Company Millions of Snapchat users' private information released by hackers Herald Sun The vulnerability was first found and published in August by an anonymous Australian collective of " white hat" hackers , Gibson Security, along with  ... See all stories on this