FBController allows for hijacking of Facebook accounts

A new tool dubbed "FBController" is designed to allow people to take control over Facebook accounts with just the cookie data, and could allow attackers to manage multiple hijacked accounts.

Azim Poonawala, aka QuakerDoomer, author of FBController. Azim Poonawala

A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers' Facebook accounts if they can get hold of the targets' session cookies. It also could be used to manage large quantities of hijacked accounts.

FBController analyzes the communications that Facebook has with computers when they interact with the site and uses that information, along with the cookie data, to allow for accounts to be hijacked, said 26-year-old Azim Poonawala, who wrote the tool and provides details on his blog.

Cookies, meanwhile, can be obtained using network sniffing, cross-site scripting exploits, social engineering, and via open proxies where cookies are logged, he said in a recent interview over chat.

Poonawala, who goes by the alias "Quaker Doomer," said he wrote the tool as a proof of concept and because "writing network-related gray hat tools has always been an adrenalin rush."

Jeremiah Grossman, chief technology officer of WhiteHat Security, said he believed the purpose of the tool is to manage control over large numbers of accounts rather than merely hijack accounts one at a time.

"This is much easier than using a browser to log in and modify accounts individually," Grossman said in an e-mail. "The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access."

Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm's ability to detect potentially malicious behavior.

"We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others," Schnitt said. "Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier." Poonawala said his intention in creating FBController was not to allow control of multiple accounts, although "it can definitely be misused by bad guys to achieve that since it is free."

This is a shot of an FBController screen. Azim Poonawala

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
In pictures: The best and worst quotes of 2014 (pictures)
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)
Google Lunar XPrize: Testing Astrobotic's rover on the rocks (pictures)
CNET's 15 favorite How Tos of 2014