Red Corner Notice : FBController allows for hijacking of Facebook accounts

A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers’ Facebook accounts if they can get hold of the targets’ session cookies. It also could be used to manage large quantities of hijacked accounts.

FBController analyzes the communications that Facebook has with computers when they interact with the site and uses that information, along with the cookie data, to allow for accounts to be hijacked, said 26-year-old Azim Poonawala, who wrote the tool and provides details on his blog.

Cookies, meanwhile, can be obtained using network sniffing, cross-site scripting exploits, social engineering, and via open proxies where cookies are logged, he said in a recent interview over chat.

Poonawala, who goes by the alias “Quaker Doomer,” said he wrote the tool as a proof of concept and because “writing network-related gray hat tools has always been an adrenalin rush.”

Jeremiah Grossman, chief technology officer of WhiteHat Security, said he believed the purpose of the tool is to manage control over large numbers of accounts rather than merely hijack accounts one at a time.

“This is much easier than using a browser to log in and modify accounts individually,” Grossman said in an e-mail. “The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access.”

Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm’s ability to detect potentially malicious behavior.

“We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others,” Schnitt said. “Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier.” Poonawala said his intention in creating FBController was not to allow control of multiple accounts, although “it can definitely be misused by bad guys to achieve that since it is free.”

abhijeet on Facebookabhijeet on Linkedinabhijeet on Twitter
Abhijeet specializes in developing software. A full-stack developer and Entrepreneur, he takes an idea and crafts it into a beautiful product - front to back. He develops on the LAMP Stack (PHP, MVC, Web API, Perl, Python, Azure, AWS, Google Cloud) and utilizes AngularJS and Angular Material for a structured client. Abhijeet is a self-starter with experience working in remote, agile environments mainly focusing on the security constraints. This is the developer, Project Manager and Consultant you are looking for.