Scenarios:
If attacker harvested mail addresses, but he doesn't know whether this mail id is used as facebook account.
- He can easily find by filling those email id as facebook userid and use dummy password: if the email id is already registered in the facebook and password is wrong : then it will result the person photo and their name, but got a message as incorrect password.
This is the major flaw. So, the attacker can collect the data (take the screenshot-user cover photo) and prepare the page identical to facebook login page. And sent the mail to those users email as need to update the information and also they use the user cover details in the mail. Once user clicked the keywords ( hyperlink) in the mail. The landed on the identical page which collected the user id and password redirected to real facebook page or error page.
Conclusion:
The whole point is - if the attacker collects n number of email id and if he tries it in facebook, he will find it whether it is registered user or not. In first point, facebook need to change it and should not show the photo or name of the user when the password is wrong. It just need to show the message- user id or password wrong.
(if it is used then many novice users account might be hacked)
By,
newWorld
- He can easily find by filling those email id as facebook userid and use dummy password: if the email id is already registered in the facebook and password is wrong : then it will result the person photo and their name, but got a message as incorrect password.
This is the major flaw. So, the attacker can collect the data (take the screenshot-user cover photo) and prepare the page identical to facebook login page. And sent the mail to those users email as need to update the information and also they use the user cover details in the mail. Once user clicked the keywords ( hyperlink) in the mail. The landed on the identical page which collected the user id and password redirected to real facebook page or error page.
Conclusion:
The whole point is - if the attacker collects n number of email id and if he tries it in facebook, he will find it whether it is registered user or not. In first point, facebook need to change it and should not show the photo or name of the user when the password is wrong. It just need to show the message- user id or password wrong.
(if it is used then many novice users account might be hacked)
By,
newWorld
No comments:
Post a Comment