Hacker News article HackerNews article Hackernews is reporting that it has learned from the experiences of many others that Facebook login has the potential to be a very dangerous practice.
A blog post by HackerNews senior writer Chris Brown states: “A recent Facebook bug report identified a new login method that would allow an attacker to login using a password of their choice.”
The exploit is being called a “wanna be a cyborg” and has been dubbed “wizard”.
Brown goes on to explain the details of the attack: It requires an attacker’s real name and password to be entered in a Facebook login page, with the username “wanderer” and the password “password” being the password for the user.
The user’s profile name and last name will be entered into the “wanderr” password field.
The login will then prompt the user to select the desired password, and the user will be directed to a Facebook page where they can login with their new username.
If the user has previously used a Facebook account, then they can choose to “join” the “Wanderr Club” which will give the attacker access to their existing Facebook account and log in to the page.
“The Wanderr membership is intended to be limited to users with at least one Facebook account,” the blog post reads.
“This may result in an attacker gaining access to a larger number of Facebook accounts, and potentially gain additional access to the Facebook network.”
This attack is being referred to as “wonderful”.
The author writes: “While we haven’t seen a whole lot of actual examples of this in the wild, we’ve seen cases where someone has made multiple attacks on Facebook accounts without using the password, so it’s probably safe to assume it’s possible.”
“It’s easy to find people who use Facebook accounts in this way.
The problem is that the attackers have no idea that they’re doing this.
The password isn’t even on the login page.”
The hacker says he was able to bypass this authentication by using his own account credentials to login:”After creating an account, I added my real name, password, birthday, and address.
Then I typed my password into the password field, and entered my username.
After clicking ‘sign in’, the password and the username appeared in a drop-down menu.
This allowed me to select a password that I’d created on my own account.””
This was pretty simple; it took me about 10 seconds to enter the password.
It’s easy for someone to do, so I didn’t bother with any more work on my end, so that’s the only explanation I can think of for the password.”
As of the time of writing, Facebook is unable to confirm if this attack has been spotted, but the blog has confirmed that it is being used and that they are looking into it.
This is not the first time that hackers have exploited Facebook login.
In July 2017, a hacker who goes by the name of “Jekyll” used the same login to access the Facebook accounts of two high-profile users of the social network.
Jekyl then used a password trick to gain access to both of these accounts, which was later revealed to be fake.