Facebook users be careful!
- Thread starter mrk
- Start date
The group broke WPA using a farm of PS3 consoles IIRC
But yeah, the person said they used a backdoor to find my password so I'm just trying to figure out at which point they gained access :/
If my machine was compromised then it seems illogical to only compromise my Facebook account and not my machine itself or my googlemail / MSN etc.
Maybe whoever compromised your machine had a slow day and wanted an excuse for conversation?
Soldato
- Joined
- 26 Jan 2003
- Posts
- 6,982
- Location
- Surrey
This.
**** off the person - and who cares as it would prolly only be a throw away email anyhows.
If this guy retrieved your password without having to change it himself then 99.9% you gave it him via a phishing form or the like. The only other way would be to break the hash straight off FBs password database which obviously he hasn't.
Taking advantage of an authenticated session via cookies/XSS etc is a different matter. This would allow him to perform actions which you could do yourself given a logged in session such as request a password change, but he wouldn't be able to retrieve your current password.
Taking advantage of an authenticated session via cookies/XSS etc is a different matter. This would allow him to perform actions which you could do yourself given a logged in session such as request a password change, but he wouldn't be able to retrieve your current password.
I'm intrigued.
1. Which OS do you use?
2. Are you running as Administrator?
3. If on Vista, is UAC disabled?
4. Are you using Noscript on Firefox?
5. Are your settings locked down in Firefox? 'Remember Passwords', 'Always Clear my Private data..' e.t.c.
6. Have you ever had other tabs open when you visited Facebook?
7. UPnP enabled on your router / modem?
I'd be very surprised if FB were silly enough to store passwords plaintext in cookies, or to send passwords plaintext 'over the wire'. It's really not hard to avoid both of those - this very forum, for example, does at least basic (non-reversible) hashing of passwords in both cases.
I think there's something important you're missing/forgetting/ignoring. Have you ever logged on to FB from a PC that wasn't your own, for example?
I think there's something important you're missing/forgetting/ignoring. Have you ever logged on to FB from a PC that wasn't your own, for example?
Last edited:
Nope I never use anyone else’s PC to log onto anything online of mine – if I do then i remote desktop onto my home PC which and do it via my own PC via RDP. I use either my laptop or my desktop though 99% of the time and they both share the same settings and protection software.
I really don’t think my machine was compromised in any way and the 3 scans with 3 different engines verifies this and the fact that TCPView showed no established connections from unknown addresses or unknown services and programs.
My mailbox account activity history didn’t show any access from any IP other than mine and my router had no other logs of anyone connecting to it.
I am more inclined to come to the conclusion that some form of session cookie exploit was used now after thinking about point 6 below and perhaps even in conjunction with a Facebook application exploit (Paul Rogers may even be a real legit person who has had his account hacked for example and is a friend of one of my contacts in FB and this is how the hacker picked me out I don’t know).
1. Which OS do you use? = Vista64
2. Are you running as Administrator? = Yes, I do too many regular changes to be using a limited account and constantly switching back and forth.
3. If on Vista, is UAC disabled? = Enabled in quiet mode
4. Are you using Noscript on Firefox? = no, it interferes with some sites I found in the past
5. Are your settings locked down in Firefox? 'Remember Passwords', 'Always Clear my Private data..' e.t.c. = Temp files are cleared from time to time, History of 7 days only is set.
6. Have you ever had other tabs open when you visited Facebook? = Yes and this is where perhaps they gained my FB password if Facebook truly wasn’t the original source by use of session cookie monitoring on a compromised website? (I don’t browse dodgy sites btw, just my usual array of regular browsing sites but I cannot confirm if at any one point one of those sites were compromised or not.
7. UPnP enabled on your router / modem? = No, only uTorrent port (randomly generated every few weeks) and RDP port 3389 forwarded to my machine. Router Firewall filters are enabled (anonymous requests, port scans, ident and multicast). Windows firewall is also enabled as default.
And so it remains a mystery....
I really don’t think my machine was compromised in any way and the 3 scans with 3 different engines verifies this and the fact that TCPView showed no established connections from unknown addresses or unknown services and programs.
My mailbox account activity history didn’t show any access from any IP other than mine and my router had no other logs of anyone connecting to it.
I am more inclined to come to the conclusion that some form of session cookie exploit was used now after thinking about point 6 below and perhaps even in conjunction with a Facebook application exploit (Paul Rogers may even be a real legit person who has had his account hacked for example and is a friend of one of my contacts in FB and this is how the hacker picked me out I don’t know).
1. Which OS do you use? = Vista64
2. Are you running as Administrator? = Yes, I do too many regular changes to be using a limited account and constantly switching back and forth.
3. If on Vista, is UAC disabled? = Enabled in quiet mode
4. Are you using Noscript on Firefox? = no, it interferes with some sites I found in the past
5. Are your settings locked down in Firefox? 'Remember Passwords', 'Always Clear my Private data..' e.t.c. = Temp files are cleared from time to time, History of 7 days only is set.
6. Have you ever had other tabs open when you visited Facebook? = Yes and this is where perhaps they gained my FB password if Facebook truly wasn’t the original source by use of session cookie monitoring on a compromised website? (I don’t browse dodgy sites btw, just my usual array of regular browsing sites but I cannot confirm if at any one point one of those sites were compromised or not.
7. UPnP enabled on your router / modem? = No, only uTorrent port (randomly generated every few weeks) and RDP port 3389 forwarded to my machine. Router Firewall filters are enabled (anonymous requests, port scans, ident and multicast). Windows firewall is also enabled as default.
And so it remains a mystery....
Associate
- Joined
- 31 Oct 2005
- Posts
- 247
- Location
- Yorkshire
I've had a few warnings while using facebook in the last few days which reminded me of this topic, i was only browsing facebook at the time these occured.
Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\profile\cache4\opr0RTEJ.
Action performed: Delete file
Something is obviously hiding itself somewhere, next time it happens i'll capture the actual page as well as this has only happened twice in the last week.
Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\profile\cache4\opr0RTEJ.
Action performed: Delete file
Something is obviously hiding itself somewhere, next time it happens i'll capture the actual page as well as this has only happened twice in the last week.
What AV package detected that gaz?
I'd be interested in finding out!
It makes sense I supposed, say for example someone pasted something on their superwall page in facebook that contained such code - it would effectively execute for anyone who viewed that persons profile page (and thus, superwall).
It's actually quite alarming thinking about it how easy it could be for an attacker to reach so many people through an easy method of exploit if this is the case.
Super Wall was one of the applications I removed at time of posting btw so hopefully that's that out of mind for now!
I think I will reinvestigate NoScript and see if it still causes issues like it did last time I tried it. If the type of scripting you've posted was the cause then NS would pick that up wouldn't it?
I'd be interested in finding out!
It makes sense I supposed, say for example someone pasted something on their superwall page in facebook that contained such code - it would effectively execute for anyone who viewed that persons profile page (and thus, superwall).
It's actually quite alarming thinking about it how easy it could be for an attacker to reach so many people through an easy method of exploit if this is the case.
Super Wall was one of the applications I removed at time of posting btw so hopefully that's that out of mind for now!
I think I will reinvestigate NoScript and see if it still causes issues like it did last time I tried it. If the type of scripting you've posted was the cause then NS would pick that up wouldn't it?
Good stuff!
Been using it on my laptop at work since my last post and so far so good, remote desktopped to my machine back home and installed it there and also so far so good!
I guess now I need to just spend the next few weeks adding whitelists to trusted sites and blocking any ad scripts and unknown scripts and go from there
Been using it on my laptop at work since my last post and so far so good, remote desktopped to my machine back home and installed it there and also so far so good!
I guess now I need to just spend the next few weeks adding whitelists to trusted sites and blocking any ad scripts and unknown scripts and go from there
That only goes so far. If the PC you're connecting from has a keylogger installed they can still record what you're typing, but unless there's also an obvious account name of URL there too, they'll have trouble working out what the password is for.
I've seen one of my friends blogs get hijacked. As they didn't update it much, they didn't have a clue it'd happened until Google flagged it up as an unsafe site, so a site you'd think of as perfectly safe got done over by an HTML/JavaScript exploit. I saw what they'd done (sandboxed to keep it from doing anything nasty, I may add).
Last edited:
I'm Paul Rogers, i tried to log into facebook last night at work on my phone and i couldnt get in, said i was using the wrong password. Asked my mate to check my profile and it said i had been hacked on my status. I have now changed my password. Who ever solina46800 is had added that e-mail address to my list of address's.
I smell BS. What are the odds?
Utility bill + Hovis, or you're a fraud!