Here I will show how easy it is to hack Facebook with the current Facebook homepage UI.
Files
First we need the files above. Inside the pack folder is a html file. Open faceb.html using firefox. (Currently the altered file doesn't render properly in chrome, explorer. So, you need to open it using firefox.)
Now, we hide the url with the official address. Below, the official Facebook address is seen in the url bar.
The attacker can leave the system with this page open. Unsuspecting victims see that facebook is on. So, they enter username and password. The victim clicks on Log In but the facebook login page reloads. The victim thinks he/she made a mistake and tries to login again. This time login succeeds.
The work of attacker is done.
The attacker comes back to the system and modifies the faceb.html file by uncommenting these two lines
//alert(localStorage.getItem("email"));
//alert(localStorage.getItem("password"));
The attacker opens the page with firefox. The user name and password are alerted to the attacker.
First pops the username.
Then pops the password.
The interesting thing is that localStorage seems to store the data in the system forever even after the system is shutdown. The attacker can return whenever he/she pleases to recover the compromised credentials. In this example the attacker needs to get hold of the victim's computer for few minutes but this attack can also be performed remotely if the files are uploaded to a remote machine.
I have already emailed the issue to facebook and it seems they dont care enough to alter their UI. With just a slight modification to the UI this type of attack can be made harder. Gmail and Yahoo have two step authentication. First it accepts username and only then it accepts password. It seems this type of attack is harder on such types of authentication pages. Facebook why not switch?
No comments:
Post a Comment