Facebook User: Who Can Find Me...?
Hacker: Yes, I CAN!!
A Security Researcher claimed “digi-crims could easily scan the population of an entire country to find targets”.
Reza Moaiandin, technical director at Salt Agency, has figured out a way to exploit an important Facebook feature to gather personal data belonging to the users.
Facebook Privacy Setting That Makes Your Identity Vulnerable
If you pay attention to the security settings in your Facebook profile, you will find a privacy setting that says ‘Who can look me up?’, or "Who can look you up using the phone number you provided?" which has been set to ‘Everyone’ by default.
This configuration allows you to search anyone just by entering his or her phone number; as a result, the search box in Facebook will display the profile of that person.
But, Can you imagine, How Cybercriminals can take advantage of this crucial privacy blunder?
By exploiting this default feature with a simple trick, the researcher was able to link thousands of phone numbers to respective Facebook accounts.
Moreover, this security flaw in the search facility of Facebook has recently led to data stealing of about 1.5 million Facebook users.
The "loophole" allow attackers to gather personally identifiable information (PII) from millions of users, including their names, telephone numbers, locations, images and more.
The Security Researcher used a programmatical script to generate every possible phone number combination in used Britain, US and Canada.
Basically, he has set up a phone number generator that goes through possible numbers and uses Facebook's Application Programming Interface (API) (a tool that allows developers to build apps linked to the social network) to gather facebook user IDs associated with each phone number.
Once you have users’ IDs, the API returns user details that include:
Further, he quoted:
"With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell the user details for purposes that the user may not be happy with," Moaiandin was quoted saying.
Facebook Can't Patch It, But You Can! Moaiandin has alerted Facebook about this serious issue and asked them to make the Facebook APIs pre-encrypted.
However, the security loophole remains intact, allegedly leaving the social site's 1.44 billion users open to social engineering attacks and identity theft.
The researcher has contacted Facebook twice since discovering the flaw. Though, Facebook apparently doesn’t consider it a vulnerability that can be abused.
According to Facebook Security Team, there are controls in place to monitor and mitigate such kind of API abuses.
The company said it has strict rules that limit how developers could use the APIs and immediate action against anyone who break them.
How to Fix Facebook Privacy Issue
Meanwhile, security measures can be taken and you can keep yourself safe from being a victim of such activities.
For this you can follow some simple steps given below:
An attacker with malicious intent could sell the collective database of the ‘personally identifiable information’ in the black market, which can put a users' life at risk.
Moreover, if you are a victim of such attacks, then you should think of what the hacker’s next step could be! Identity theft, financial losses, malware infections and phishing attack.. and what not!
Security researchers have developed a Flying Drone with a custom-made tracking tool capable of sniffing out data from the devices connected to the Internet – better known as the Internet-of-things.
Under its Internet of Things Map Project, a team of security researchers at the Texas-based firm Praetorian wanted to create a searchable database that will be the Shodan search engine for SCADA devices.
Located More Than 1600+ Devices Using Drone
To make it possible, the researchers devised a drone with their custom built connected-device tracking appliance and flew it over Austin, Texas in real time.
During an 18 minute flight, the drone found nearly 1,600 Internet-connected devices, of which 453 IoT devices are made by Sony and 110 by Philips.
How did They locate Internet of Things Devices?
The researchers located all ZigBee-enabled smart devices and networks and then started expanding their research.
"When [IoT devices] communicated over a wireless protocol called ZigBee, this protocol is open at a network level. So when the devices start connecting, they send out beacon requests. We capture data based on this," says Paul West Jauregui, from Praetorian.
ZigBee is a popular smart-home wireless communication standard used by the majority of Internet of Things (IoT) devices today.
ZigBee protocol, which lets IoT devices talk to each other, is implemented by major vendors including Toshiba, Philips, Huawei, Sony, Siemens, Samsung, Motorola, and many more.
Exploiting 'ZigBee' to Hack Internet of Things Devices Remotely
Such drone experiments could be even worse if hackers were able to hijack smart-home and Internet-enabled appliances remotely...
…that's Evil! But it has been demonstrated by a Vienna-based team of security researchers at Black Hat security conference.
Tobias Zillner and Sebastian Strobl from 'Cognosec' have discovered some critical security flaws in ZigBee that could allow hackers to compromise ZigBee networks and take over control of all connected devices on a network, including door locks, alarm system and even controlling your light bulbs.
The vulnerability actually relies in the way ZigBee protocol handles the keys it uses to authenticate the IoT devices it adds to its mesh network, allowing hackers to sniff out exchange authenticate keys.
"Tests with light bulbs, temperature sensors, motion sensors and even door locks have shown that the vendors of the tested devices implemented [minimum features] required to be certified," says Zillner.
The worse part pointed out by the researcher is that there is nothing users could do to make their smart devices more secure, and since the flaw affects a broad range of devices, it's quite unclear how quickly vendors will come up with a fix.