How to post to other people’s Facebook accounts

As I poke through facebook, every once in a while I stumble upon some rather fun security holes.  This one is probably one of my favorites. It is simple to exploit and the victim has no way of stopping it.

For this to be most effective, it requires you to have initial access to a target’s account but it is not necessary.  This can be done by:

1. using firesheep on a public wifi network

2. when a person has left a machine logged in or  has stepped away for a few seconds.

3. tricking them into sending you a screenshot of the page below.

4. looking over someone’s shoulder

With the user logged in, go to

http://www.facebook.com/mobile/

On the lower left, there is the” upload via email”  option with an email address. Anyone who has this email address can post videos and images to a victim’s FB wall.  Once the email address has been acquired by the attacker, the victim cannot change it.  When something is posted on the wall using this email address, nothing will indicate who posted it or how. Facebook has no security to only allow certain senders to use this address.

The email address appears to be in the form

<dictonaryword><number><dictionaryword>@m.facebook.com

in order for the email to work

1. it must have a subject

2. it must have an image/video attached

Since it uses two dictionary words and a number, a determined  spammer can also just brute force into random accounts by sending out millions of emails. 

When an attack is successful, a confirmation email comes with the subject  “Facebook Photos”  confirming that that email account is valid and the photo has been posted. 

This is how a compromised post appears on the wall.  The only hint as to where it came from is Mobile Uploads album.

2.0.5 coming

2.0.5 development branch has been frozen. I am currently testing for  release.  This version does not have jingle voice chat. I hope to have it working properly in the 2.0.6 release. Im pushing this out since I missed my September release deadline for 2.0.5

2.0.5 changelog

This is an update that fixes bugs and adds features.

1. iOS5 compatible (fixes crashes)
2. Uses standard iphone notification sound and vibrations.
3. Fixed bug where sounds didnt play
4. Uses device/switch settings. Removed vibration options in Monal settings since they are redundant
5. Correctly detects https links in chats
6. Added feature to not save the password and request it on every login for additional security.
7. improved xmpp capabilities support (xep-0115)
8. in chat view, will show the full date if the message came on another day
9.Added expanding text view like in messages app.
10. chat log can use the full screen to display messages (removed grey box at bottom)

Expanding chat box.

By popular demand. Here is the new expanding chat input box.

I have also fixed several bugs related to iOS5. Since these are urgent. I will likely release 2.0.5 with these changes and save Jingle for the big release coming after that.

Working on Monal Again

Things to expect in the September release.

1. Uses standard iphone notification sound and vibrations.
2. Fixed bug where sounds didnt play
3. Uses device/switch settings. Removed vibration options in Monal settings since they are redundant
4. Correctly detects https links in chats

Also worked on the ability to not save the password at all and enter it on every login.

http://monal.im/bugs/viewissue.php?issue_no=48

Making good progress on that. I think I am about 50% done.

FAQ

Q. Why am I not getting sound or vibration alerts?

A.  Make sure they are enabled in the settings screen. In addition for sound alerts, make sure the silence switch is not turned on.  Finally, both sound and vibrate only occur when the screen  is locked or the app is running in the background. In other cases it is assumed that you are looking at the monal app and dont need the additional notification of a new message.

 

Q. How do I remove contacts?

A. Swipe on them on the contacts screen and then tap remove.

 

2.0.4 changelog

This is a service update that fixes bugs

1. Fixed critical bug that caused immediate crash on iOS3 devices
2. improved UI, adopted new icon set
3. fixed bug where offline roster was not loading on some servers
4. Added XEP-0055: Jabber Search (user directory)
5. Added detailed help pages
6. Added several popovers to ipad UI
7. option to turn off message preview
8. option to hide offline contacts
9. option to turn off logging
10. no longer forces an @ in the username, greater compatibility
11. button to close all active chats at once
12. Added XEP-0078: Legacy Authentication. Works on non SASL servers
13. tested to work with jabberd14 1.6
14. tested to work with Prosody