Simple Hack Lets Hackers Listen to Your Facebook Voice Messages Sent Over Chat Monday, January 16, 2017 Swati Khandelwal

facebook-messenger-video-recording

Most people hate typing long messages while chatting on messaging apps, but thanks to voice recording feature provided by WhatsApp and Facebook Messenger, which makes it much easier for users to send longer messages that generally includes a lot of typing effort.

If you too have a habit of sending audio clip, instead of typing long messages, to your friends over Facebook Messenger, you are susceptible to a simple man-in-the-middle (MITM) attack that could leak your private audio clips to the attackers.

What’s more worrisome is that the issue is still not patched by the social media giant.

Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Facebook Messenger’s audio clip recording feature that could allegedly allow any man-in-the-middle attacker to grab your audio clip files from Facebook’s server and listen to your personal voice messages.

Let’s understand how this new attack works.

Here’s How Attackers can Listen to your Personal Audio Clips:

Whenever you record an audio clip (video message) to send it to your friend, the clip gets uploaded onto the Facebook’s CDN server (i.e., https://z-1-cdn.fbsbx.com/…), from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.

Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.

Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.

That’s it.

You might be wondering that how hackers are able to download your audio files so easily.

What went Wrong?

This is because Facebook CDN server does not impose HTTP Strict Transport Security (HSTS) policy that forces browsers or user agents to communicate with servers only through HTTPS connections, and helps websites to protect against protocol downgrade attacks.

Secondly, the lack of proper authentication — If a file has been shared between two Facebook users it should not be accessible by anyone except them, even if someone has the absolute URL to their file, which also includes a secret token to access that file.

As an example, Mohamed sent an audio clip to one of his friends over Facebook Messenger and here’s the absolute link to the audio file extracted using MITM attack, which anyone can download from Facebook’s server, even you, without any authentication.

“GET requests are something that the browsers can remember it in its cache also in its history, Better to have this files played via POST requests with an anti-CSRF token implemented,” Mohamed told The Hacker News.

Still Unpatched; No Bug Bounty!

Mohamed reported the issue to Facebook, and the company acknowledged it, but haven’t patched it yet. Facebook did not offer any bug bounty to the researcher, as the downgrade attacks do not come under its bug bounty program.

Here’s what the Facebook security team told Mohamed:

“We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program.”

“In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify.”

You can watch the above proof-of-concept video demonstration, which shows this attack in action.

We have contacted Facebook security team for the comment and will update the story as soon as we hear from the company.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Hacker News: Don’t Fall For This Dangerously Convincing Ongoing Phishing Attack

gmail-phishing-page

Security researchers have discovered a new phishing campaign targeting Gmail users, which is so convincing and highly effective that even tech-savvy people can be tricked into giving away their Google credentials to hackers.

The attackers first compromise a victim’s Gmail account, and once they are in, they start rifling through inboxes to launch secondary attacks in order to pass on the attack.

The hackers first look for an attachment that victims have previously sent to their contacts and a relevant subject from an actual sent email. Then the criminals will start gathering up contact email addresses, who become the new targets of the attackers.

After finding one, the hackers create an image (screenshot) of that attachment and include it in reply to the sender with the same or similar subject for the email, invoking recognition and automatic trust.

What makes this attack so effective is that the phishing emails come from someone the victim knows.

This new Gmail phishing attack uses image attachments that masquerade as a PDF file with a thumbnailed version of the attachment. Once clicked, victims are redirected to phishing pages, which disguise as the Google sign-in page. But it’s a TRAP!

The URL of the fake Gmail login page contains the accounts.google.com subdomain, which is enough to fool the majority of people into believing that they are on a legitimate Google page.

gmail-phishing-data-uri

Also, since the browser does not show the red warning icon usually used by Google to point out insecure pages, users fall for the Gmail hacking scheme.

Here’s what WordFence CEO Mark Maunder who reported the attacks writes in a blog post:

“This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text.”

“In this [attack] the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted.”

Victims fall for the scam because of a clever trick employed by this attack, and they submit their credentials, which get delivered directly to the attackers. And as soon as the attackers get their credential, they log into the victim’s Gmail account.

Protecting against this attack is very simple. Gmail users just need to enable two-factor authentication, and, of course, always be careful while opening any attachment in your email.

So even if the attackers have access to your credential, they’ll not be able to proceed further without your phone or a USB cryptographic key in order to access your account.

Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

VLADIMIR PUTIN WE HAVE THE WORLD’S BEST WHORES

GUNNY G ~ BLOGGIN' BAD! ~ TRUMP: "NO PC" WE NEED PRESIDENT TRUMP ON OUR WALL! * WE NEED MORE AMERICA FIRST * WE NEED MORE "DEPLORABLES" i.e. REAL AMERICANS! * AND WE WILL TAKE BACK OUR USA AGAIN...--GET OUTTA THE WAY AINOs!

VLADIMIR PUTIN WE HAVE THE WORLD’S BEST WHORES
tmz ^| 1/17 | tmz

Posted on 1/17/2017, 11:21:05 AM by RummyChick

Vladimir Putin scoffed at the now discredited dossier suggesting Donald Trump engaged in funny business in Russia … but it didn’t stop him from bragging about his country’s prostitutes. Putin held a news conference in the Kremlin, throwing shade at the ex-British intelligence officer’s so-called report. Putin said Trump’s been surrounded by beauty pageant contestants for years, and … “I find it hard to believe that he rushed to some hotel to meet girls of loose morals, although ours are undoubtedly the best in the world.” Bottom line? If you’re into that sorta thing … come to Russia!

View original post 101 more words

ADS OFFER BIG MONEY FOR PAID PROVOCATEURS TO PROTEST TRUMP’S INAUGURATION IN AT LEAST 20 MAJOR US CITIES

milwaukee-riots-protests

All the red flags coming out on a daily basis now suggest that something is going down on Trump’s inauguration.

At the very least, the lead up to it has been unlike any transition of presidential power America has seen in the past.

Case in point? A San Francisco-based company is running ads in two dozen major cities offering $2,500 a month for agitators to “Get paid fighting against Trump!” at this week’s inauguration events.

The Washington Times reports:

Demand Protest, a San Francisco company that bills itself as the “largest private grassroots support organization in the United States,” posted identical ads Jan. 12 in multiple cities on Backpage.com seeking “operatives.”

“We pay people already politically motivated to fight for the things they believe. You were going to take action anyways, why not do so with us!” the ad continues. “We are currently seeking operatives to help send a strong message at upcoming inauguration protests.”

The job offers a monthly retainer of $2,500 plus “our standard per-event pay of $50/hr, as long as you participate in at least 6 events a year,” as well as health, vision and dental insurance for full-time operatives.

If these are real ads, that’s really good money, especially for the growing number of out-of-work millennials still living at home with their parents these days.

But it also shows that this is a highly organized, highly funded operation. According to WT, the ads ran in at least two dozen cities, including Los Angeles, New York, Chicago, Dallas, Houston, Austin, Charlotte, Colorado Springs, Columbus, Denver, Detroit, El Paso, Fort Worth, Jacksonville, Oakland, Oklahoma City, Omaha, Philadelphia, Phoenix, San Diego, San Francisco, Seattle, Tulsa, and of course, Washington, D.C.

To top it all off, the company promises its clients who hire paid protesters that, “all actions will appear genuine to media and public observers.”

How do you like that?

It’s no secret that color revolution masters like George Soros are funding social justice movements like Black Lives Matter, the Ferguson protests(which turned into riots) and some of the anti-Trump protests (which also turned into riots) during the election.

But now, not only are we already seeing signs of the same highly organized protests being set up for Friday, with people threatening to turn the inauguration into a riot and saying they do not support a peaceful transition to power, but we have to wonder how many of those people are getting paychecks to do so and how far they’ve been told to take it…

This is on top of authorities finding weapons caches stashed in DC this week.

Ultimately, though, we live in a world of fake news, of paid live TV audiences, and paid protests for our reality TV star president.

The question is, are we getting to a point where everything is fabricated?

Delivered by The Daily Sheeple

Trump Slams NATO And EU, Threatens BMW With Tax; Prepared To “Cut Ties” With Merkel

Counter Information

In Stunning Pair Of Interviews

Global Research, January 16, 2017
Zero Hedge 15 January 2017
donaldtrump-400x225

In two separate, and quite striking, interviews with Germany’s Bild (paywall) and London’s Sunday Times (paywall), Donald Trump did what he failed to do in his first US press conference, and covered an extensive amount of policy and strategy, much of which however will likely please neither the pundits, nor the markets.

Among the numerous topics covered in the Bild interview, he called NATO obsolete, predicted that other European Union members would join the U.K. in leaving the bloc and threatened BMW with import duties over a planned plant in Mexico, according to a Sunday interview granted to Germany’s Bild newspaper that will raise concerns in Berlin over trans-Atlantic relations.

Furthermore, in his first “exclusive” interview in the UK granted to the Sunday Times, Trump said…

View original post 1,075 more words

Heads Are Finally Beginning To Roll At The Clinton Foundation

Mountain Republic

The Clinton Foundation announced it’s laying off 22 staffers on the Clinton Global Initiative, keeping with a plan to deal with the negative spotlight put on the organization during former Secretary of State Hillary Clinton’s presidential campaign.

The layoffs will take effect April 15, the Clinton Foundation said in a filing with the New York Department of Labor Thursday, citing the discontinuation of the Clinton Global Initiative. The move is part of a plan put in motion ahead of the presidential election in order to offset a storm of criticism regarding pay-to-play allegations during Clinton’s tenure as secretary of state.

The layoffs were reportedly announced internally in September, ahead of Clinton’s stunning loss to President-elect Donald Trump. Many other employees had already begun looking for or accepting other jobs at that time, as it had become clear the future of the initiative was in doubt. It’s unclear how many of…

View original post 36 more words

Paul Craig Roberts: Rogue Elements of the CIA Are Operating Against President-elect Trump

Tales from the Conspiratum

Pic added by Tales

What is striking about this controversy is that it is the CIA, not Russia, that is interfering in American elections. The CIA is supposed to be concerned with foreign intelligence. It is not supposed to interfere in US affairs. Yet it is the CIA that is using fake news to delegitimize a president-elect.

Source: Rogue Elements of the CIA Are Operating Against President-elect Trump — Paul Craig Roberts – PaulCraigRoberts.org

With permission from

http://www.paulcraigroberts.org

Paul Craig Roberts

Dec 12, 2016

Alex Jones catches a lot of grief. Some of it he brings on himself by being over the top, but most of the criticism he receives comes from his practice of dragging into the news issues that otherwise would remained cloaked in silence.

Alex is certainly correct to stress that elements in the CIA, or someone claiming to be CIA, are planting stories in the media…

View original post 362 more words