Update : Facebook has enabled (secure browsing) https for everyone, so this attack is now not applicable. But still the procedure here applied to any website which has non secure login system.
This is a demonstration of Session/Account hijacking vulnerability in Facebook if you do not use a secure connection over Facebook.
The part one of the series uses a wired network scenario for the demo.
Complete self explanatory video :
Attacks Employed :
1. Man in the middle attack/ ARP poisoning
2. Session Hijacking
In this demo, I used a local wired network scenario. I used a Windows xp Virtual machine in my snow leopard machine to hijack Facebook session of a Windows7 machine. I used windows since this demo can be reproduced easily in any realtime scenario. But this demo can be tested on any Operating System.
How to :
1. Open Cain, Configure- set your Network card.
2. Use Mac Address Scanner to scan your local network by specifying the range.
3. Identify your target PC, from the results.
4. Open a new ARP poisoning routing, set your ip and target ip.
5. Open Wireshark and filter http.
6. Wait for your target to open Facebook.
7. Check the Cain for poisoning status, Half-routing changes to Full-routing when the target uses the
8. Open Facebook with firefox in your PC, use Cookie editor to note down the Cookie names
associated with Facebook.
9. Monitor the Wireshark for Facebook connection from the Target PC for
HTTP [Retransmission] GET /x/
10. Copy the value of Cookies from the HTTP [GET].
11. Open your firefox, delete the cookies of Facebook.com.
12. Add the cookies and their values from the Wireshark you copied before.
13. After you have finished adding the cookies, save & close the Cookie editor.
14. Refresh your browser.
15. Congratulations. You have hijacked the Facebook account from your Target PC.
How to prevent this vulnerability :
1. As of this writing, Facebook has brought in secure layer (SSL) for connection. But it is still not full fledged (or) is left for user’s preference.
So enable the secure browsing under Security in Account Settings.
2. Better use HTTPS Everywhere browser plugin to force the use secure HTTPS connection for all the websites (if they provide one).
HTTPS connection should be made mandatory for such high profile websites. My next demo would show session Hijacking through wifi networks.
This demo is purely meant for educational purpose and to insist the secure way of browsing.
indiandragon does not take any responsibility for any harmful actions carried over by using this demo.