Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Social Networks - Safe or a Trap? Case Study. (http://www.go4expert.com/articles/social-networks-safe-trap-study-t21209/)

indiansword 5Mar2010 16:29

Social Networks - Safe or a Trap? Case Study.


These days Social Networks are not just way to find your friends & stay connected. Now days they've become an important tool of marketing for all the people who main blogs, websites, forum etc. If you are a user who has been on Social Networks since a long time, I am sure you'd say that Social Networks aren't for people anymore, they are for spammers! I have been analyzing few Social Networks in last few weeks as a part of a project that I was working on. RESULTS WERE SHATTERING! Here in this article I am going to talk about some points which would make you look at Social networks in different way!

Little About the Case I was working on:

I was assigned on a case by one of my friends who works with Mumbai Cyber Cell, which is basically Internet Cops, but unfortunately they are not equipped and knowledgeable to solve some high profile thefts & scams. There was this lady who was wife on a big Business Tycoon in Mumbai. I can not disclose specific names due to confidentiality. So this lady's Facebook account was hacked. She had about 800 friends in her account, most of them were millionaires & rest were business friends. So the attacker who broke into the account, sent messages to all her friends saying that "Help me help the poors, send your donations via Moneygram OR Western Union". Almost 7 Lacs were stolen on the name of Donation just in 5 days & this lady didn't have a clue whats going on.

Until, one day one of her friends were talking to her on cell phone and she asked her as in what happened to the charity and how is it going, that's when she got to know whats going around. Recovering money was taken care by Local Cops, but the task to understand how it could happen was assigned to me.

My Steps

  1. Trojans, keyloggers, malwares?

    First of all I had to understand if it was a hack into victim's direct computer OR only just specific to Facebook account. I had a chance to analyse HDD of victim & after checking the HDD , registry strings, it seemed that there was no infection of malware, trojan, keylogger etc. Neither there was any network spoofing done remotely. So it was clear that the BOX wasn't hacked & the hack was specific to Facebook account.

  2. 0days & exploits of facebook?

    Later on, I was given access to the Facebook account. I started my work with searching for any latest 0days found for facebook. Because in most of this cases, attackers use 0days which are not patched on the websites. Surprisingly, on that time there was 0days released. All available exploits, were already fixed.

  3. Phishing?

    Victim was novice computer user. So I spoke to her regarding if she was remembered something where she was asked to confirm the username & password before she could view next Facebook page. But she said, that she haven't used Facebook in last few days and couldn't think of any such thing happening. I had to assume that it wasn't a phishing attack, as it was difficult to make the victim understand about phishing. Also, she confirmed that there wasn't any other account with the same password of facebook.

  4. Something new in facebook?

    Since there wasn't any known attack on her, it was getting difficult to identify the cause. I started analysing her Facebook usage patterns. Turns out that most of the time she would be playing games and other stuffs using Facebook application. There were about 5 applications which were installed in her Facebook account.

  5. Inside of Facebook applications:

    After some research & talking to few friends who developed few applications for Facebook in past, It was easy to understand that most of the applications are designed by an individual & team of individual, who are not really concerned with the security issues that might occur. SInce there only 4 applications listed in her profile, it was not raelly tough to go through them one by one. SURPRISINGLY, each of them had one or other vulnerability.

Ultimately, after going through each and every applications, I got to know that the method that was used is knows as "REDIRECTION VULNERABILITY". In this vulnerability the actual website i.e. facebook.com, redirects the user to that application. But an attacker can modify the URL and redirect the user wherever he wants. A tutorial about redirection vulnerability is posted HERE.

So there is this application called "Quel endroit le plus absurde serait parfais pour vos debats sexuels". Using this redirection vulnerability, victim was sent to a COOKIE STEALING PAGE, which sent the cookie to attacker & after victim was redirected back to facebook. So it is acceptable, that novice users would not even understand what exactly happened. Using these cookies, attacker used to login to the account and talk to victim's friends for charity! AND MY JOB IS DONE :).

Should we use Social networks or not?

After completing this task, it made me think how safe is it for people to use Social Networks. Forget about the spammers & marketing people, I am talking about all legit and novice people who just use it to talk to friends. SURPRISING thing was, 4 out of 4 applications that I tested, turned out to have some or other vulnerability in them.

So after working on it, I can recommend to everyone who is reading this as below:

"Use social networks, there is nothing wrong in them. These social networks are big companies & they have a dedicated team for security. So there are not many things that a hacker could take advantage of. BUT, the applications in them are made by starters, individuals & small timers. These application developers do not really care about the security, all they want is, people to use this application so they can get some advertisements to put on the applications and make some bucks out of it. They really are never concerned about the consequences. Amazing part is, even Facebook allows all the application to be released before getting them tested to their own satisfaction."

I hope you'all found this article interesting. If yes, then comments and questions welcome! I worked really hard to solve this case for about 3 weeks. Ultimately, I was mentally satisfied with what I have done. This attack proves that Hacking Attacks change for every hacker :). I have listed the detailed information about this vulnerability HERE.

Bhullarz 8Mar2010 03:52

Re: Social Networks - Safe or a Trap? Case Study.
Good One. But I must say social networking is like a knife. It can be useful as well as harmful too..
I am also great fan of social networking... its a great thing for people like me who can not move out of the office to see my friends. Just sitting in my office / home, I am able to share my pics, videos, thoughts, etc... with my friends. It makes me feel like I am there with my friends. Its really nice to be part of social network. Just little careful usage can make anyone protected from the damage.
1. Do not use public computers
2. For passwords, use Virtual Keyboards
3. Try to use HTTPS protocol for login, if possible
4. Install PAID Security System for Computers
5. Do not share passwords with anyone.
6. Before responding to mail from social networking site, confirm the Correct URL in ADDRESS BAR.

I think these precautions are enough for being safe on our side. If website is hacked, then we can not do anything..

hanleyhansen 8Mar2010 07:14

Re: Social Networks - Safe or a Trap? Case Study.
This is very good info. I encountered a few applications on facebook as well with some vulnerabilities. In the end I think it all comes down to the brains of the user. The more you protect yourself, the less likely you are to fall for something like this. Good stuff.

hanleyhansen 8Mar2010 07:21

Re: Social Networks - Safe or a Trap? Case Study.
The SecWorm forum looks pretty cool. Tell me a little about it.

indiansword 8Mar2010 13:56

Re: Social Networks - Safe or a Trap? Case Study.
I dont this giving info here would be appropriate lol. Be in the community to know more abt it.

hanleyhansen 8Mar2010 18:38

Re: Social Networks - Safe or a Trap? Case Study.
Lol. I mean what's it about like its primary focus.

fourthdimension 9Mar2010 01:43

Re: Social Networks - Safe or a Trap? Case Study.
Nice case study.

indiansword 9Mar2010 02:30

Re: Social Networks - Safe or a Trap? Case Study.

Originally Posted by hanleyhansen (Post 65331)
Lol. I mean what's it about like its primary focus.

SecWorm Network is a place where we bunch of Professional Security Experts release Programming, Ethical Hacking articles, tutorials, tools, videos etc for Hacking Awareness.

indiansword 9Mar2010 02:32

Re: Social Networks - Safe or a Trap? Case Study.
Lol, sorry guys a lot of TYPOs in the article that i just noticed.

Toddie 9Mar2010 20:05

Re: Social Networks - Safe or a Trap? Case Study.
great article and well written.

I have always known that third party applications (on forums too) are the most vulnerable to exploits. for the obvious reasons that both the main developer is not working with the third party vendor and updates are far and few between.

my biggest concern with social networking sites is BIG BROTHER.
you are being profiled, categorized and in a nutshell, spied on.

EDIT: 2 months and that facebook exploit still not fixed hahaha
they do not have to touch the application itself, it is xss vulnerability via url and they could put a filter on that

p.s. what kind of idiot tricks people into sending money to his account?
the kind that gets caught. never leave a trail!

it is nearly impossible to steal money via hacking because you have to withdrawl it at some point and thats traceable.
I cant believe someone actually tried this.

All times are GMT +5.5. The time now is 02:04.