Blog Archives

Password reset Vulnerability in Facebook Employees Secure Files Transfer service : ehack : ehack

Many be many of you are not aware about this, but Facebook having a Secure Files Transfer service for their Employees at and Hacker reported a very critical password reset vulnerability.

Nir Goldshlager, a researcher told ‘The Hacker News‘ that how he defeat Facebook‘s Secure Files Transfer service and help Facebook by reporting them about this issue in a responsible non-disclosure way till patch.

After analyzing the site, he found that the script Facebook is using is actually “Accellion Secure File Sharing Service” script and so next he download the demo version of service from Accellion website and explore the source codes and file locations.

He found that, there is a user registration page also available in source, that was also on Unfortunately Facebook had removed the Sign up option (link) from homepage, but forget to remove the registration page from its actual location i.e (/courier/web/1000@/wmReg.html).

So this way, Goldshlager was able to make an account on the site for further pentest. He found that the  demo source code of the service is encrypted by  ionCube PHP Encoder, and decryption of many parts of the source code was not possible by him.

Source code of a web application is like a treasure for a penetration tester, once you have source code, you can look for many critical web application vulnerabilities easily. Anyway, he drop that idea because source code is encrypted.

There is a Password Recovery page (wmPassupdate.html) also available on site, which was actually allowing anyone to reset the passwords of any account. Goldshlager notice that when one request to reset the password of his account, the page was validating the user by a cookie called “referer” that contained the email ID of same logged in user but encrypted in Base64.

Facebook Employees : ehack

Finally, Goldshlager hack the Facebook  Employees Secure Files Transfer service by tampering the values of cookies equals to the victim email ID and Password parameters. This way he was able to reset the password of Facebook Employees using this critical flaw. Flaw was reported by him and now patched by Facebook.

Video Demonstration by Nir Goldshlager–

Original post at –thehackernews

Thanks for reading. hope it might helped you.


Facebook messaging changes could let paid advertisements into users’ inboxes

Facebook announced a trail that could let paid advertisers directly message users’ in-boxes, which have traditionally been held for messages from friends.

The move is seen as the latest effort by the company to monetize its hugely popular social network, which now includes more than 1 billion active monthly users globally.

“This test will give a small number of people the option to pay to have a message routed to the Inbox,” Facebook says in a post announcing the news.

The news is part of a broader set of changes Facebook made to its messaging platform today, including new privacy settings. Users can now choose from two message settings, basic or strict. In the basic settings, friends, friends of friends and  AndroidImage

Messenger users  who do not have a Facebook account can message users to their in-box. A “strict” allows the user to select who they can receive a message from.

Facebook’s messages are broken into two categories, the in-box and an “other” folder. The messaging platform is designed to “get the most relevant messages into your in-box and put less relevant messages into your other folder.” Facebook uses algorithms to determine relevance and where the message should be placed, for example, whether the sender is a friend, friend of a friend, or spammer.

With the introduction of paid messages though, people who are not in any way connected to a user’s social network can pay to send a message to someone. “Today we’re starting a small experiment to test the usefulness of economic signals to determine relevance,” Facebook says. “Several commentators and researchers have noted that imposing a financial cost on the sender may be the most effective way to discourage unwanted messages and facilitate delivery of messages that are relevant and useful.

Paid messages seem akin to an advertisement, but Facebook says it envisions other scenarios as well. “For example, if you want to send a message to someone you heard speak at an event but are not friends with, or if you want to message someone about a job opportunity, you can use this feature to reach their Inbox. For the receiver, this test allows them to hear from people who have an important message to send them,” Facebook writes.

The feature is limited to person-to-person messages, meaning that Facebook business pages and accounts are not able to utilize this service. Paid messages are also limited to one per week to users involved in the trial.


Thanks for reading. hope it might helped you.

Facebook’s best hacks of 2012

Facebook’s best hacks of 2012

Facebook had some pretty sweet hacks over the past year. They basically deep-fried a server with phenomenal results. They created a QR code that can be seen from space. And one guy even made a 3D-printed map of Facebook.

The company holds regular internal hackathons to keep employees moving fast and breaking things, as per the social network’s now-famous Hacker Way code of conduct. And even outside those structured events, hacks just happen. It’s part of the Facebook way of life.

Some hacks are little more than pranks. Others end up becoming part of the site that you and I use every day. And in between those extremes, some hacks becoming canonized as Facebook lore, a sort of company-specific Jargon File that lives on Facebook’s servers and in its oral traditions.

This year, the company picked eight of its favorite hacks to share with the world. Here they are, in no particular order:

This slideshow requires JavaScript.



Thanks for reading. hope it might helped you.

Cybercrime Changes Track to Mobile and Social Media in India

cyber crime : ehack

cyber crime : ehack


Bangalore: Crime hasn’t left any stone unturned and this also applies to cybercrime. Cybercrime in the world is keeping up with the changing avenues available to commit fraud and con people in large number as per a recent Symantec Corporation’s Norton Cybercrime report 2012. In India there are 137 million Internet users, 7 out of 10 users use their mobile to surf the net. Moreover, the social media user base in India has grown from 38 million in 2011 to 60 million in 2012 making both mobile and social media prone to cybercrime, reported K Rajani Kanth for Business Standard.

Both of these fast growing portals have been consistently targeted by cybercriminals though advance means and the users are barely aware of the security risks involved. This highly transforming trend has impacted many individuals with loss of identities, data and finances, which are only the few among the many crimes committed online. As per the report in the past 12 months more than 42 million people have turned victims to cybercrime in India alone, which has led to an unbelievable $8 billion loss in direct finance.

David Hall, the Asia Pacific regional consumer product marketing manager of Norton by Symantec, said, “Many of us at Symantec and Norton have been putting our heads together to predict some of what we can expect to see in 2013. Of the predictions we have come up with, I want to draw your attention in particular to two –– the likelihood that cyber terrorism will get highly personal as attacks focus on individuals or minority groups and the possibility that new electronic payment methods could be vulnerable to hacks and breaches,” as reported by Business Standard.

The report informs that in the cyber world future, conflicts between nations, organizations and individuals will play a key role. Hall claims “In 2013, we will see the cyber equivalent of saber rattling, where nation states, organisations and even groups of individuals will use cyber attacks to show their strength and ‘send a message’. Additionally, we expect more targeted attacks on individuals and non-government organisations such as supporters of political issues and members of minority groups in conflict.”

Adding to this quagmire is the software madware, mobile adware which is capable of disrupting the user experience with pop up alerts, by adding icons and altering browser settings. It can also expose location details, device identifiers and contact information to cybercriminals. The software is primarily used by advertising network to promote targeted advertising through all the access the software provides. Madware usually sneaks into a user device while downloading an app, much without the user’s knowledge and gathers information which can be easily accessed by cybercriminals as there isn’t any full proof security installed on the device. Strong passwords are one of key solutions, informed the report.

On this note the report said, “In just the past nine months, the number of apps including the most aggressive forms of madware has increased by 210 percent. Because location and device information can be legitimately collected by advertising networks, it helps them target users with appropriate advertising and we expect increased use in madware as more companies seek to drive revenue growth through mobile ads. This includes a more aggressive and potentially malicious approach towards the monetisation of ‘free’ mobile apps,” reported Business Standard.
As predicted in the report  that the hackers will go where the user and devise goes, and at present it is the mobile devices and the cloud. It also informs that without much ado in 2013 the majorly targeted platforms will be mobile and cloud services for crime and breaches. Confirming this is the swift rise of Android malware in 2012. While users add applications they will also let in malware into their devices. As informed by the report certain malware can duplicate old threats such as stealing information from the device.

As per the Report, 31 percent mobile users in India have received unwanted SMS text asking them to call the unknown number mentioned or click on the given link. To worsen the situation, most of the mobile Internet usage is being managed by unsecure mobile applications, thus increasing the risk in hand. The report adds that by 2013 it’s certain that mobile technology will continuously advance and in turn provide fresh opportunities for cybercriminals to commit more crimes mounting the crime list.



Original Post at SiliconIndia

Thanks for reading. hope it might helped you.

How much data is consumed every day, every hour, every minute ?

 How much data do you use in a minute? Uploading a photo to Facebook, tweeting, and browsing the Web on your mobile device: it all adds up. Here’s what we use in a single minute.

DatainOneMinute : ehack

DatainOneMinute : ehack


Each and every minute of the day, vast amounts of data is generated from ordinary activities: from online shopping to phone calls, bog-standard Web browsing and accessing social media outlets.

The next time you perform a Google search, you are one in about two-million users who are doing the very same thing at that same moment. Google handles this every second of the day, as does Facebook with more than four billion things shared daily and Twitter with its 340 million tweets per day — yesterday’s outage notwithstanding.

Perhaps a more daunting figure: we spend more than $1 million in online stores every five minutes. Who said we were in back a recession?

In that same amount of time, brands are propped up by close to a quarter-million ‘likes’ on Facebook, and more than a billion emails are exchanged.

The stats are baffling, and downright crazy. Here are the numbers you need to know.

  • Email users send more than 204 million messages;
  • Mobile Web receives 217 new users;
  • Google receives over 2 million search queries;
  • YouTube users upload 48 hours of new video;
  • Facebook users share 684,000 bits of content;
  • Twitter users send more than 100,000 tweets;
  • Consumers spend $272,000 on Web shopping;
  • Apple receives around 47,000 application downloads;
  • Brands receive more than 34,000 Facebook ‘likes’;
  • Tumblr blog owners publish 27,000 new posts;
  • Instagram users share 3,600 new photos;
  • Flickr users, on the other hand, add 3,125 new photos;
  • Foursquare users perform 2,000 check-ins;
  • WordPress users publish close to 350 new blog posts.

Data courtesy of Domo.

Orginal Post at —


Thanks for reading. hope it might helped you.

%d bloggers like this: