«
»

Facebook Photos That Steal Your Account

Posted by Nick O'Neill on August 1st, 2008 12:07 PM
Share 9 Comments

According to Computerworld, there is a new type of security vulnerability on Facebook that is exploited via spoof image file called a “GIFAR”. A GIFAR is a Java file which is packaged as an image. Once uploaded, the process of tricking the user is somewhat complicated. As the Computerworld article describes how a sample attack would be done:

A bad guy would create a profile on a popular Web site — Facebook, for example — and upload his GIFAR as an image on the site. Then he’d trick a victim into visiting a malicious Web site, which would tell the victim’s browser to go open the GIFAR. At that point, the applet would run in the browser, providing the hacker access to the victim’s Facebook account.

It sounds like a convoluted process for compromising a person’s computer but there are plenty of people that would fall for this type of exploit. The group of computer security experts that found the exploit will display it at an upcoming conference aside from a few critical components that are needed to make it work. My guess is that this exploit will be turned over to Facebook and other vulnerable sites and the problem will soon be fixed. Encoding misleading image files is not a new trick but apparently this is a new way of tricking people.

My guess is that this vulnerability will be fixed pretty soon.

 



Recommended Articles


Inside Social Apps 2012 is Less Than Two Weeks Away

Mediabistro Event
Inside Social Apps, held on February 8-9 in San Francisco, is less than two weeks away. This is the third conference on the future of monetization on social and mobile platforms. Leaders from the industry will share their views on today's most formidable challenges affecting social and mobile apps and games in 2012. Inside Social Apps conferences sell out in advance, so take advantage of early registration pricing. Early bird rates end on February 1, so register today.

9 Comments »

  1. Thanks for the notice! Well with blogs such as this exposing this sleazy scheme, it certainly will get fixed soon :)

    Comment by Nick Stamoulis — August 1, 2008 @ 4:58 pm

  2. This is not a facebook only flaw. This flaw affects nearly any site that allows the upload of user supplied content. For the record, we have NOT tested this against Facebook to this date.-Nate

    Comment by Nate McFeters — August 1, 2008 @ 9:30 pm

  3. Thanks for the notice! Well with blogs such as this exposing this sleazy scheme, it certainly will get fixed soon :)

    Comment by Nick Stamoulis — August 1, 2008 @ 8:58 pm

  4. This is not a facebook only flaw. This flaw affects nearly any site that allows the upload of user supplied content. For the record, we have NOT tested this against Facebook to this date.

    -Nate

    Comment by Nate McFeters — August 1, 2008 @ 10:30 pm

  5. This would be a difficult process, but when you tag somebody in an image, they almost always come and have a look…I don't really see how a GIF that is a JAR could exploit anything on facebook. Facebook resizes all my images… that would break the jar… I'd be curious to find out.

    Comment by James — August 5, 2008 @ 4:53 pm

  6. This would be a difficult process, but when you tag somebody in an image, they almost always come and have a look…

    I don't really see how a GIF that is a JAR could exploit anything on facebook. Facebook resizes all my images… that would break the jar…

    I'd be curious to find out.

    Comment by James — August 5, 2008 @ 5:53 pm

  7. I received a message on Facebook from a friend (actually just a Facebook friend, attractive girl) claiming that their friend had taken a picture of me with a hidden camera and a link to a website thats supposedly had the image. I figured that it was something malicious and didn't fall for it. My guess is it was an attempt to take over my account using this flaw.

    Comment by Ivan — August 8, 2008 @ 4:24 am

  8. I received a message on Facebook from a friend (actually just a Facebook friend, attractive girl) claiming that their friend had taken a picture of me with a hidden camera and a link to a website thats supposedly had the image. I figured that it was something malicious and didn't fall for it. My guess is it was an attempt to take over my account using this flaw.

    Comment by Ivan — August 8, 2008 @ 5:24 am

  9. Thanks for sharingRegardsMaxhttp://xtupload.com

    Comment by nulls101 — October 16, 2008 @ 10:36 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Interested in advertising on AllFacebook?

Send us a Tip

tips@allfacebook.com

Social Media Jobs

Let your next job find you!

$,000   to   $,000

Featured Company

ASPCA-Internal-Communications-Director

Jobs of the Day

Digital Strategist

GOOD/Corps

Los Angeles, CA

Digital/Social Media Manager - Entertainment

Creative Circle

Los Angeles, CA

Social Media Coordinator

MTV K

New York, NY

See all jobs


Hire The Best in Social Media

Tap into our vast network of talented social media pros.
Post a risk-free job listing

Become a sponsor
[Inside Social Apps 2012]
[AllFacebook Stats: Facebook Analytics for Your Business]
[How can Facebook change your business?]

Upcoming Events

Inside Social Apps

February 8-9, 2012 | San Francisco

Inside Social Apps

Developing & monetizing on social & mobile platforms

Social Gaming Summit

23-24 May, 2012 | Berlin

Social Gaming Summit

Where Gaming Meets the Social Web

AllFacebook Marketing Conference

June 28-29, 2012 | San Francisco

AllFacebook Marketing Conference

Your how-to guide for Facebook marketing.


View all events