New research shows how an old vulnerability called ROBOT can be exploited using an adaptive chosen-ciphertext attack to reveal the plaintext for a given TLS session.
While scrolling on Facebook how you decide which link/article should be clicked or opened?
Facebook timeline and Messenger display title, description, thumbnail image and URL of every shared-link, and this information are enough to decide if the content is of your interest or not.
Since Facebook is full of spam, clickbait and fake news articles these days, most users do not click every second link served to them.
But yes, the possibility of opening an article is much higher when the content of your interest comes from a legitimate and authoritative website, like YouTube or Instagram.
However, what if a link shared from a legitimate website lands you into trouble?
Even before links shared on Facebook could not be edited, but to stop the spread of misinformation and false news, the social media giant also removed the ability for Pages to edit title, description, thumbnail image of a link in July 2017.
However, it turns out that—spammers can spoof URLs of the shared-links to trick users into visiting pages they do not expect, redirecting them to phishing or fake news websites with malware or malicious content.
Discovered by 24-year-old security researcher Barak Tawily, a simple trick could allow anyone to spoof URLs by exploiting the way Facebook fetch link previews.
In brief, Facebook scans shared-link for Open Graph meta tags to determine page properties, specifically ‘og:url’, ‘og:image’ and ‘og:title’ to fetch its URL, thumbnail image and title respectively.
Interestingly, Tawily found that Facebook does not validate if the link mentioned in ‘og:url’ meta tag is same as the page URL, allowing spammers to spread malicious web pages on Facebook with spoofed URLs by just adding legitimate URLs in ‘og:url’ Open Graph meta tag on their websites.
“In my opinion, all Facebook users think that preview data shown by Facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click,” Tawily told The Hacker News.
Tawily reported the issue to Facebook, but the social media giant refused to recognise it as a security flaw and referred that Facebook uses “Linkshim” to protect against such attacks.
If you are unaware, every time a link is clicked on Facebook, a system called “Linkshim” checks that URL against the company’s own blacklist of malicious links to avoid phishing and malicious websites.
This means if an attacker is using a new domain for generating spoofed links, it would not be easy for Linkshim system to identify if it is malicious.
Although Linkshim also uses machine learning to identify never-seen-before malicious pages by scanning its content, Tawily found that the protection mechanism could be bypassed by serving non-malicious content explicitly to Facebook bot based on User-Agent or IP address.
Tawily has also provided a demo video to show the attack in action. You can watch the video above.
Since there is no way to check the actual URL behind a shared link on Facebook without opening it, there is a little user can do to protect themselves except being vigilant.
Facebook is once again in trouble regarding its users’ privacy.
The social media giant has recently been heavily fined once again for a series of privacy violations in Spain.
Recently, Google also incurred a record-breaking fine of $2.7 billion (€2.42 billion) by the European antitrust officials for unfairly manipulating search results since at least 2008.
Now, the Spanish Data Protection Agency (AEPD) has issued a €1.2 Million (nearly $1.4 Million) fine against Facebook for breaching laws designed to protect its people’s information and confidentiality.
According to the data protection watchdog, the social network collects its users’ personal data without their ‘unequivocal consent’ and makes the profit by sharing the data with advertisers and marketers.
The AEPD also found Facebook collects sensitive data on user’s ideology, religious beliefs, sex and personal tastes and navigation—either directly from its own services or through third parties—without clearly informing its users how this information would be used.
This activity constituted a “very serious” infringement of the country’s local data protection law (LOPD), for which the authority fined the company €600,000 ($718,062).
The regulator also identified two “serious” violations of privacy laws, including:
- Tracking people through the use of “Like” button social plug-ins embedded in other non-Facebook web pages—for which it is fined €300,000 ($359,049).
- Failing to delete data collected from users once it has finished using it, in fact, the company “retains and reuses it later associated with the same user”—which resulted in another €300,000 ($359,049) fines.
However, Facebook denied any wrongdoing and intended to appeal the decision of the Spanish data protection authority, providing the following statement.
“We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision.”
“As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.”
In May, the social media giant was fined €150,000 ($179,532) by for the way Facebook targeted advertising and tracked users.
Powered by WPeMatico
New cross-platform malware for Windows/Mac/Linux spreading via Facebook Messenger
A cyber-criminal gang is using Facebook Messenger to spread a new malware specimen through links to spoof websites. This threat, which is highly sophisticated and has been customized for each Web browser, has been uncovered by a security expert who received a suspicious message from one of their Facebook friends and decided to analyze its content.
How malware works
The mechanics of the attack are relatively simple. The targeted user receives a Facebook message that includes the recipient’s name, the word ‘video’ and a shocked emoji followed by a shortened URL. As the message comes from one of the victim’s friends, they are very likely to click the link in order to view its content. The malicious link opens a Google document containing a blurry picture taken from the victim’s Facebook and which looks like a playable movie. Then, if the victim attempts to play the video, the malware will send them to one of a number of different websites, depending on their Web browser, operating system, location, and other factors. This site will then prompt the user to install malicious software.
Google Chrome users, for example, are redirected to a fake YouTube channel, complete with the official logo and branding. This site shows the user a fake error message designed to trick them into downloading a malicious Chrome extension. Firefox users, however, are sent to a website displaying a fake Flash update notice, which, once run, attempts to run a Windows executable to install adware. Finally, Safari users are taken to a similar site, customized for macOS, encouraging them to download a malicious .dmg file.
A highly complex, sophisticated attack
This type of malware is designed to track the victim’s browsing activity using cookies and display targeted adverts, but also to use social engineering to trick the user into clicking on them. The malware is capable of spreading across different platforms via Facebook Messenger, using multiple domains to prevent tracking and earning clicks.
The malicious code is highly sophisticated and complex, and researchers suggest that the malicious links are being sent from real Messenger accounts compromised as a result of stolen passwords, hijacked browsers or clickjacking techniques. Each click on the ads generates revenue for the malware authors, and even though there is relatively little known about the malware campaign and those behind it, the sheer number of Facebook Messenger users gives attackers access to an extremely large number of potential victims.
How to protect yourself from malware
One simple way to avoid falling victim to this scam is to use caution with any link received from a Facebook friend. For greater security, experts recommend having a trusted, up-to-date antivirus such as Panda Protection installed on your computer to protect your system with the best protection. In addition to this, a spokesperson for Facebook has confirmed that the company maintains a number of automated systems to help stop the distribution of harmful links and files via the social networking site.
Is telepathy texting the next step in technology communications?
With over 2 billion registered members, Facebook is the world’s most popular online service. But to maintain that title, Facebook is constantly developing new services to keep people logging in. In a recent video conference, Facebook chief Mark Zuckerberg discussed one of the cutting edge projects his team are working on. The top secret Building 8 division has begun to develop what they call a “direct brain interface”, or the technology that would allow to text by “telepathy”.
What would you do with a direct brain interface?
The direct brain interface is intended to capture the words you plan to speak as they pass through your brain. These thoughts would then be converted into text, ready for transmission – to a nearby screen, or even directly into the mind of another person using a similar interface.
Initially, Facebook hopes that their new technology will allow people with brain injuries or communication problems finally “speak” with the outside world. One scientist working on the project believes such a device would be “as transformative as the computer mouse”.
Taking the direct brain interface mainstream
Once the medical application has been proven, Facebook would naturally expect to take the interface mainstream. Zuckerberg described how he would like to see the technology used to send messages telepathically between Facebook users.
Because the technology is “decades” from release, it is hard to properly imagine what the interface could do. At the most basic level it will probably work like a person-to-person version of the Facebook Messenger app. Presumably users would be able to send text messages direct to the brain of their friends, anywhere in the world without having to lift a finger, or making a sound.
The potential for problems
Just like any computing device, there is always a potential risk that the direct brain interface could be hacked. Again, the specifics of such an attack are hard to guess, but could be relatively harmless, such as receiving unwanted advertising messages directly into the brain.
The outcomes of a cyberattack could conceivably be far worse too. Malware that increases processor activity could cause the interface to overheat, damaging the brain for instance. As the Stuxnet virus demonstrated, malware can cause physical damage. But if that damage is caused to devices connected directly to the human brain, the results could be catastrophic – potentially fatal.
Plenty of time to prepare
The good news is that Facebook’s telepathic text system is still a long, long way from even having something to test. It will be many years before we see a working prototype, let alone a unit that we can actually buy.
In the meantime, engineers will be hard at work developing security measures to protect users against hackers and malware. And as devices finally start to appear, you can expect to see new anti-malware products going on sale to add an extra layer of defence.
In the meantime, why not check if Facebook Messenger is properly protected on your phone with a free Panda Mobile Security download
Researchers who identified a real-time way to detect credential spearphishing attacks in enterprise settings won $100,000 from Facebook last week.
The impending demise of Adobe Flash will create legacy challenges similar to Windows XP as companies begin to wean themselves off the vulnerable code base.
APT Cobalt Gypsy or OilRig, used a fake persona called “Mia Ash” to ensnare tech-savvy workers in the oil and gas industry into downloading PupyRAT malware.