Well I was reading and commenting on my Facebook family and friends status when I got a cryptic message stating something like "You need to be logged in to complete this action". "
Ok fb is being flaky as usual", I said... and attempted to re-login again without any success. A bit of shuffling around I quickly found out that password was changed for facebook. I then went to login into my comcast.net account (that I use to login into fb with) and was in shock when I found that password was changed as well! I reset everything with new passwords using my primary account.
Later that day I found out from some "friends" that Facebook had some hacking done so I dismissed this but didn't like how my comcast.net account was changed as well.
Two days later. I wake up with my early cup of coffee to check on my "facebook friends" before heading to work when I noticed that I could not login again to either account. After resetting some passwords and getting into faceboo I noticed that one of the applications that I use was sending status at midnight (2 hours past my bedtime). A scan on the computer found no viruses, spyware, or malware and I believed I'm heavily patch.
After some serious investigation and look. The vulnerability I believe was caused by three factors:
1. My Comcast email address to login into Facebook was EXPOSED on my profile page. It was also known by several other people as well.
2. To reset your Comcast password all you need to do is to answer a very simplified questions such as "Name of your favorite pet, favorite sports team, etc." These answers could be easily obtained by reviewing my fb. profile or even knowing and seriously what New Englander does not love the Red Sox. With ONE (and only ONE) simple guess, the hacker now has ACCESS to your email account on comcast.net!!!
3. The hacker can then easily RESET your Facebook password by typing in your email address and selecting "Oops... I forgot my password". Facebook sends an email to the main email account (which was just hacked into) and doesn't try to challenge you with any security questions.
Suggestions:
1. Never expose your email - facebook login account on your profile.
2. If you use comcast.net then make your secret question really difficult OR don't use comcast.net for email
Wednesday, January 13, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment