Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts

Monday, July 3, 2017

Recovering a hijacked Facebook account

I can without a doubt confirm that the most hijacked and hacked accounts worldwide belong to Facebook. I have been asked myself to recover more than 15 accounts belonging to my friends or mutual friends. I don't succeed most of the time.

For example, my best friend's girlfriend had her account hijacked 1 month ago. The girl noticed the change one month later. I was asked to remedy the situation, I was having trouble even locating her account, but when I did nothing could recover her account back. The hijackers set up trusted friends, new email, new phone, new photos and even a new name.

Recently, my friend's account was hijacked and I was asked to recover it. It was an immensely important account used to conduct business and had chats were supposed confidential, so I wasn't taking it lightly.

The password's been obviously changed and the email address (Hotmail) hijacked and two-step authentication set up (Confirmed from Hotmail's account recovery process). So, recovering the account was pretty much a dead-end confirmed with Facebook's horrid message:

So, I was really stuck. At this point, there is was no direct way to contact Facebook regarding hacked accounts. You can directly contact them for impersonation or copyright issues but not for hacked accounts. 

Then, after that, I have asked the victim to find any web browser where he's logged in on Facebook in the past (with the old password), screenshot he's sent:

After he has pressed on "click here", he has indicated that the Facebook account has been compromised, next photo:

After the victim clicked on "Secure My Account", he was taken to this page, the victim's Hotmail account was compromised so he clicked on "No longer have access to these?":

And surprisingly, and taken to this annoying and useless page, the victim has clicked on "I cannot access my email account":

Then, Facebook asked for a new email address:

At this stage, an email address that I operate was provided, this page below was shown; however, this page is not accessible for everyone. The URL for this page is the following but apparently will not be enabled for anyone unless they went through the recovery process (from a browser that they have logged in on in the past):

After the ID has been provided, Facebook Support directly sent me an email since the victim set up an email of mine as the contact email for the resolution of the issue:

Since the victim has uploaded his ID, I have briefly described the issue to Facebook:

One day later, the account was recoverable. Win:

But we were not done yet, I've had to reverse the damage. First, I've had to invalidate the old email and add another email for the victim. At this point, I've set up an email for him from my domain name and added it to his Facebook. The email had two-step authentication configured on it as well as a complex password, and no matter what I can recover it:

The email was confirmed:

Then, the account was logged out of all the devices: 
Added phone numbers, emails and apps were all removed:

Recent activity was checked as well for malicious posts added:

That's it, the account was recovered and two-step authentication was activated now; a step the victim didn't know existed in the first place. 

Thursday, June 29, 2017

Can you really hack a Chromebook and get 100K from Google?

It has been almost a year since the search and artificial intelligence giant just announced on its Blogger blog that it is are willing to pay USD100,000 to whoever can hack its Chromebook. In a blog post called, Get Rich or Hack Tryin', Google said:
Increasing our top reward from $50,000 to $100,000. Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.

In other technical words, 100,000USD is to be given to whoever can hack its operating system Chromium OS that is updated almost daily from the finest and most talented software engineers.

Sounds like a good deal, yeah? Actually, not.  It is worth noting that Google set extremely hard rules and the chance of winning the amount is close to 0. Yes, it is possible to hack a Chromebook but your chances are close to 0. Here is more information about the reward:
We have a standing $100,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page).

What does it mean?
  • You need to find a bug in Chromium OS's sandboxing secure mechanism that has been evolving for four years. Sandboxing ensures that each Chrome Extension (they call them apps) is run in a restricted environment and is sandboxed (quarantined, imprisoned). In other words, you need to create a Google Extension and from that extension, you need to locate a bug in Chromium OS, if it does exist I assume.
  • Once you find this invisible bug, you create an extension that would take advantage of the bug so that it would escalade access and escape the sandbox. All that, you need to in Guest mode.
  • Once you escape the sandbox, you need to find a second bug that would allow you to tamper with the system and corrupt its files. That is, first, you need to find a third bug that would allow you to access the developer's mode from the guest mode.
  • One you gain access to the developer's mode from the guest mode, you need a way to break the administrator account inside of the "Linux-based" operating system from a non-privileged account.
  • Hold on, we're not done yet. It needs to be persistent. That means, once you edit the operating system files, you need to tamper secure boot scripts as well, which double checks the operating system files on boot to see if they were tampered with.
The hack, if found, is probably worth more than USD10,000,000 in the black market, the odds of getting a Chromebook hacked from the "guest" mode is about the same odds of winning the lottery. If you're looking for some quick cash, you might as well go buy a lottery ticket rather than go get a Chromebook and attempt the hacking.

The USD100,000 is just a tiny small amount from Google's pocket, but most importantly, it is a guarantee from Google that their Chromebook is safe, as long as no one wins the bounty, Google would smile and double the amount whenever they want.

Wednesday, June 28, 2017

A Hacker's Manifesto [Full Essay]

In few months, A Hacker's Manifesto will turn 31 years old. In honor of this essay, I will repost it on my blog. The Hacker's Manifesto is known as The Conscience of a Hacker. Date released is in January 8, 1986 and the author is The Mentor.

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me...

Or feels threatened by me...

Or thinks I'm a smart ass...

Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found.

"This is it... this is where I belong..."

I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.