As Facebook has grown, the need for greater session security has increased to avoid hackers and spammers looking to exploit users. That doesn’t mean their system can’t be broken. 26-year-old Azim Poonawala has successfully built a piece of software that currently cracks Facebook sessions with the assistances of a user’s cookie information. While acquiring an individual’s personal cookie information requires a little bit of extra effort, it’s most definitely a feasible task.
As Jeremiah Grossman, Chief Technology Officer of WhiteHat Security told Elinor Mills of CNet, “The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access.” Honestly it’s not surprising to see that someone has compromised Facebook’s session system although it definitely required a substantial time investment.
Facebook doesn’t seem to mind about this security threat though. Barry Schnitt told CNet news that, “We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others.” If the FBController tool were to be used to mass control accounts Facebook would know. As Barry Schnitt told CNet, “Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier.”
While Facebook may seem confident in their ability to protect against security holes, this will most definitely force the company to modify their session management algorithm. While most web applications will never be perfectly secure, Facebook has invested heavily in making sure users on the site are protected.
Recently there has been an increased number of phishing attacks and those attacks among others, combined with this software can compromise a large number of accounts. It will be interesting to see what measures takes to increase their security now that this software is available.
![[Inside Social Apps 2012]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/ISA2012_336x100_F_RegisterNow.gif)
![[AllFacebook Stats: Facebook Analytics for Your Business]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/stpro_allfacebookstats.gif)
![[How can Facebook change your business?]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/FMB_A_MAY2011_336x100_F.gif)
Ah, more Facebook problems for Windows users.
Comment by Facebook User — May 6, 2009 @ 9:34 pm
i never trusted face book with my data anyway
Comment by Kaizaad Starzshowz — May 7, 2009 @ 12:56 am
In order to use this tool, you have to read a user's cookie first. This is not easy, and many (most?) applications on the web (including FB) can be easily exploited if you get your hands on some user's remember-me cookie, without using such tools. So, this actually isn't very attention-worthy, not very dangerous, and FB is right to not take it seriously.
Comment by gasper_k — May 9, 2009 @ 4:20 am
Problems for windows users? Um what browser/OS are you using that doesn't store cookies on your computer?
Comment by Tom Hogans — May 18, 2009 @ 5:22 pm
Agreed. Browser plugins can impersonate using cookies but Facebook sends an update message and changes the cookie set by you before you can impersonate.
I think this fbc is the only utility till date which actually allowed me to use the stolen cookies without reverting back to old values (maybe because it has no pre-feeded cookies).
It worked for me !
Comment by TotalTerminator — May 18, 2009 @ 9:27 pm
The reason Macs were safer, was because they weren't nearly as prominent in peoples households as PC's. Though with the sudden "apple craze", Apple is being targeted harder, and more holes and issues are being found daily. In 2002, your argument may have made sense, though not anymore.
Comment by Herp — July 18, 2011 @ 4:55 pm