Let me be clear from the beginning: the purpose of this article, as well as the tool that I’ll be mentioning in this article, is to setup a Proof of Concept – it is not intended to make you a hacker. Learn about FBpwn tool.
The goal here is simple: do an awareness campaign for How-to-hide-ip readers when it comes to their privacy on the $10 billion social network called Facebook.
The tool we’re going to cover here is FBpwn. If you want to know more about the tool, its development as well as ways to contact the developers, then you’re free to check their website.
So what is Facebook Profile?
In fact, it’s a Java-based program that claims itself as a social engineering platform. It can be used on different platforms, and is released under GPL v3 license. Simply said, everyone can copy, modify and distribute it: so expect a lot of your friends using this application so as to make some jokes, or so as to pick some of your photos.
How does it work?
Once installed on the “hacker’s” computer, FBpwn would send some friend request to a list of FB friends. The same program then checks for those who have accepted the friend requests. Once someone accept the friend request, then FBpwn pumps all the data it can from each of those friend’s profile: all their information,photos and friend list to a local folder
Quoting the official page of FBpwn, this is how the system works:
Typically, first you create a new blank account for the purpose of the test. Then, the friend-ing plugin works first, by adding all the friends of the victim (to have some common friends). Then the cloning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim’s account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessible HTML pages (info, images, tags, …etc) for offline examining.
After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it’s a fake, but probably it’s too late!
As a Facebook user, you may wonder how you can be protected from such private data pumping? In fact, most Facebook users have adopted an approach where they don’t accept friend requests from people they don’t know. Well, it may help on some situations, but if one of those accounts is using FBPwn, then that precaution doesn’t help.
And as you would have noticed, FBpwn even goes further by friend-ing some of your friends so that when you receive a friend request, Facebook would show you the common friends you have – this gives you some ” confidence” that this may be a ” good” connection: which is totally a scam, but you’ll only discover it later on – if you’ll ever discover it.
Keep in mind: the purpose of this program is to do a proof of concept. How would you fight against it? That’s another story that probably need some help from Facebook. Anyway, as I always said: never trust that things you post/share on Facebook are private.