Facebook Vulnerability leaks Private Photos.

                Having a Facebook account is now considered to be a social status. The latest feature by Facebook is that anyone can sync their photos that has been taken from the phone or tablets. Recently a researcher found that Facebook has a vulnerability that can be used to leak the private photos.

                The photos that are being synced from the devices will be automatically uploaded to a private folder that is not visible to anyone and can be shared with the friends for their viewing. The vulnerability allows the third party app to access the personal photos from the hidden Facebook Photo Sync Album.

                  The vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API.

                  Private photo album should be accessible by only Facebook's official app but this vulnerability allows any third party apps to get permission to read the personal synced photos.

                  The researcher who found is Laxman from India and he disclosed the Graph API before that allowed anyone to delete the photo album.

How to Disable the Auto-Sync Features :

                   Facebook has patched the vulnerability and rewarded him with $10 000 but the Facebook users are advised to turn off the Facebook Photo Sync feature.

                  To do that go to Account -->App Settings --> Sync Photos, then Choose 'Don't sync my photos'.

P.S : The post is to create awareness and not to be misused.

Facebook Hacking Tool - Reconnect.

                   Facebook is the social networking site having millions if users online. A security researcher posted that #Facebook is having poor security feature and proved it. He has released a hack tool that can be used to hijack any user accounts.

                   He disclosed the vulnerability on his blogspot and Facebook declined to fix that issue and so he developed a tool that can be used by attackers to hijack the Facebook account. The tool was named as #Reconnect. It exploits the Cross - Site Request Forgery ( CSRF ) vulnerability present in the Facebook page.

                  Actually this tool uses the method that many e-Commerce websites use Facebook Login as a authorisation token for logging into their websites and this can be used by an attacker to hijack such web accounts with ease. It also opens door for phishing attacks.

                  When the potential victim is tricked to click into this URL they are logged out of their Facebook accounts and into cloned accounts on the network set up by the attackers. While at the same time the victim accounts on websites that use Facebook login get linked to those cloned accounts.

                   This allows an attacker to gain access over victim's accounts on the third party sites, allowing them to change passwords, read private messages and perform other malicious actions.

                    The developer provides a step by step tutorial how to use the tool. Reconnect can hijack accounts on Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo and many other sites that supports Facebook login portal.

                    The complete tutorial about the usage of the tool can be found here.

                    Facebook says that it had made it harder for attacker to exploit the vulnerability without affecting the functionality of the Authentication token. 

P.S : The post is to create awareness and not to be misused.
                  

WhatsApp Calling Hoax Message.

              It is true that the messaging giant #WhatsApp is now working on WhatsApp Caling feature which allows users to call their friends through VoIP. Recently there has been a hoax message spreading over social networking sites and WhatsApp.

               The program #WhatsApp Calling is in beta stage only and WhatsApp randomly selecting users to try out this feature. They test it via users about call quality, encryption ,security and data rates. The invite can be passed through friends and any friend can other to try it out.

               This feature has achieved peak and since it became popular attackers makes use of it and starting fooling people around. Hoax messages has been created and circulated among users. The hoax message is as 

  He / She is inviting you to try WhatsApp Calling feature and can enable it by sending it to 10 friends, the 'Continue' button will become active and you can enable the feature.

                Once the victim clicks on continue button a website opens up and asks for the completion of the survey to activate the feature. They can earn money by making others completing the survey. It can also makes the user to click on any advertisement.

                 One of the activity that can be done is that it can download any malicious application into the mobile and can start further attack. Using the implanted application the attacker can get the private or personal information also.

               If you receive a message from your friend don't fall for it. Users are requested to use common sense if WhatsApp has officially released this feature, once updated every user will get the feature. Not only this scam, many message about get *** Rs. topup by sending this to 10 people.

               Users are protecting system and devices with all security features but fails to analyse the attack towards them with their own brain. In cyber world, Dont Trust Anyone sometimes Even your own EYE.

P.S : The post is to create awareness and not to create any negative impact.

Top 10 Android Hacking Tools.

             Android being one of the most popular mobile operating system that has millions of users globally and also has changed the view about the smartphone. Due to the popularity and the architecture, Android has been considered to be the most popular attack vector among attackers.

             In this cyber world everyone must know how secure their devices are. This can only be done if they use the same tool as used by the hackers based on the the fact "If you wanna catch a theif you should think like a thief ". A list of 10 hacking tools is released as follows.


1. Hackode : Used for performing Recon and Information Gathering such as Ping, Traceroute, DNS Lookup and also used for performing Exploits.

2. Androrat : This tool is the combination of Android and RAT ( Remote Administration Tool ). Used to execute commands remotely to get call logs, messages, required files and also GPS Location.

3. APKInspector : APKInspector is used to test any Android Applications. Used for Analysis of DEX code and also used to find in depth skeleton of malicious applications.

4. DroidBox : Tool used to analyse Hash value and also in analysing Incoming / Outgoing Packets, File read and write operations. Can work on Cryptographic operations.

5. Burp Suite : One of the classic tool used for vulnerability assessment. Can be used for entire pentesting process. It is one such state-of-art automation tool since unbeatable. Configurable and used by many experienced professionals.

6. zANTI : Tool used to check against Backdoors, Brute Force attack, DNS attacks, Rogue access point attacks. Also includes MiTM ( Man in The Middle ) attack module and Metasploit.

7. Droid Sheep : Tool used to capture HTTP packets transmitted over network. Used to reveal weak security of non-SSL web services. Uses both pcaplib and arpspoof.

8. dSPLOIT : A collection of tools used for pen testing. Can perform Router PWN, Wi-Fi Cracking, Port Scanner, Login Cracker, Packet forger, MiTM, Sniffing and many more.

9. AppUse : Comprises of many tools used for pen testing. Can be used for advanced penetration testing by simple click.

10. ConnectBot : Open source SSH Client. Can be used to access remote server with the provided user name and password pair. Uses Standard Encryption.

                It is highly recommended to use the tool for EDUCATIONAL PURPOSE ONLY. Read how to use the tool before using because these are very powerful and dangerous tools. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE OCCURRED BY RUNNING THESE TOOLS. Tools NOT TO BE USED FOR ATTACK PURPOSE.

P. S : The post is to create awareness and not to be misused.