Wednesday, June 29, 2011

How to Hack Facebook Passwords by adding into friend list

How to Hack Facebook Passwords by adding into friend list

These days many Facebook users have hundreds and possibly thousands of friends. More friends increase the chance that your Facebook account will be hacked – especially if you accept friend requests from people you do not know.

Critical vulnerability found on FACEBOOK

It isn’t entirely unusual that Facebook users receive friend requests from people they do not know. Often, those friend requests are blindly accepted in an effort to grow the friendship base. It seems that especially people with Facebook accounts that are primarily used for marketing purposes are more likely to accept friend requests from people they do not know than the typical Facebook user does.

Such accounts could be hacked easily, and there is no ingenious hacking talent required to do so: You simply need to walk through Facebook’s passwork recovery process with two other Facebook friends of a targeted account.

You can easily gain access to a your friends Facebook account through a collusion approach. You have to use Facebook’s password recovery feature, which is accessible through the “Forgot your password?” link on the Facebook login page.

Once identified the Friend, Facebook suggested to recover the password via the existing email address. However, you can bypass this hurdle by clicking the “No longer have access to these?” link. In that case, Facebook asks for a new email address. In the following step, Facebook presents the security question tied to the account. However, you can also to bypass the question by typing wrong answers three times in a row. After that, Facebook provides a rather surprising way to get your account back – via the support of three friends.

1. First, you select three friends “you trust”. These three friends then receive a code, which is required to change the account password.

2. Select yourself and immediately received a code from Facebook. With those three codes, you can easily change the password for the targeted account.

3. The problem clearly is that three friends you do not really know and cannot trust could potentially gain access to the victim Facebook account – through the standard password recovery feature.

4. To bypass problem mentioned in step 3 SOCIAL ENGINEERING. Create your own 2 more fake profiles and add the victim as a friend on facebook. Now get all the 3 codes and you are done.

NOTE: The targeted account will be locked for 24 hours after this password change and the user’s old email address receives a notification of the password change as well as the names of the three friends who were given the codes. However, if these are friends with fake names, it doesn’t quite matter that you now know their names.

Now if a Facebook user could in fact be in a situation when a Facebook account is not checked within a 24-hour period, particularly since we enjoy to flaunt our activities through Facebook status messages. And if the account is checked frequently, the account depends on Facebook’s response time, which can easily stretch to a number of days.

Bottom line is You don’t expose yourself to people you don’t know.

May be this has been fixed by facebook... but im hoping sooner facebook would make another stupid mistake again..