0

I've been confused about how it is possible to compromise a Facebook user's account simply if that user clicks a link. Recently a friend of mine on Facebook posted a series of links to what appeared to be some kind of Phishing scam. "99% of people couldn't watch this for more that 1 minute!!!" etc etc. We've all seen it. Clearly their account had been compromised and some malicious software or human was posting this content on their behalf.

Reading through some of the threads here I came across this : Don't understand how my mum's Gmail account was hacked

This seems like a similar scenario but I've been told reliably by my friend that they didn't input any credentials recently to sites that were anything other than Facebook. Of course we all know that a good Phishing site will indeed be indistinguishable from the site it is trying to capture details of users from.

So my question is two fold:

  • How can clicking a link and browsing to a page, without inputting any credentials compromise your account.
  • How can sites that do get control of your account by asking for credentials through what appears to be a legitimate site still appear to have the right URL.

Thanks everyone! I'm very interested to hear any response.

Community
  • 1
user49984
  • 31
  • 1
  • 2
  • 1
    This is extremely too broad. There are tons of things that could have happened here. The "phishing link" is actually a Facebook App that requests permission to post on your behalf, a malware downloaded from somewhere else, some client-side attack against the browser, the password has been leaked somehow, a keylogger, some other vulnerability on the victim machine, using the account on an untrusted machine, or any number of the other 100 possibilities. – Adi Jun 27 '14 at 10:40
  • Just know this; merely clicking the wrong link can cause you to get completely owned. The internet is a very dangerous place. Zero Day exploits can exist long before the public is aware. The worst of these allow your machine to be compromised simply by clicking a malicious link. Never take candy from a suspicious looking link. Never take a ride with a suspicious looking link. Does this sound familiar? It's the same thing our parents taught us as kids. Links are strangers. Strangers are dangerous. Beware the stranger danger! – k1DBLITZ Jun 29 '14 at 04:53
  • Indeed. Good point on the question being too broad. Is there any reading material you could please recommend to me that might help my understanding? – user49984 Jul 09 '14 at 13:06
  • Good point on the links too. Something that is impossible to impart to people like my parents but very true. – user49984 Jul 09 '14 at 13:06

1 Answers1

1

Though I'm not much of a Web security person, there are at least three ways for your account to be "compromised":

  1. You installed a malicious browser extension: as long as you have a cookie allowing you to autoconnect on Facebook, it may be able to go there and use your account as it pleases (that depends on what the extension API of your browser allows, I'm not up to date with that). It could also spy on you when you login and steal your password. Solution: don't install dubious browser extensions!
  2. You installed a Facebook app: if it asked for the permission to post on your behalf, look no further. Usually those apps also ask for some information about your contacts and/or your account so they have a means to spread and some data to sell. As a rule of thumb the vast majority of Facebook/Android/iOS free apps are here to steal and monetize your data.
  3. You visited a page asking you to connect with your Facebook id: usually to "verify your age". These get you to connect on their page and then make your browser run a JavaScript routine that'll post on your behalf. How exactly? I'm not sure, that depends on what the JS engine of the browser allows (e.g., can you influence the contents of an iframe from the outside? can you simulate clicks or text input in that frame?).

Hopefully someone can develop a more precise answer.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • 1
    Add reverse proxy like the ones at airports or hotels. Reverse proxies can do pretty much whatever they want to you without you having the slightest clue you're being fed malicious content. – Andrew Hoffman Jun 27 '14 at 15:56
  • Thanks for the response. A lot of content in there. I'm beginning to understand at least the basics of how this could happen. – user49984 Jul 09 '14 at 13:05
  • No modern JavaScript engine allows influencing cross-domain iframes. – Nonny Moose Jul 28 '18 at 14:41
  • Nonny, please bear in mind the question and answer are quite old. I believe it was just a few months since W3C had formally recommanded the adoption of CORS when this was written up. In 2017 XSS were still said to be a major threat vector, since policies must be well configured to prevent cross-domain resource sharing. Then again, I haven't looked at JS security models in years and I've never known them too well. – Steve Dodier-Lazaro Aug 10 '18 at 10:54