New FBController Application Hacks Facebook's Session Algorithm

As Facebook has grown, the need for greater session security has increased to avoid hackers and spammers looking to exploit users. That doesn’t mean their system can’t be broken. 26-year-old Azim Poonawala has successfully built a piece of software that currently cracks Facebook sessions with the assistances of a user’s cookie information. While acquiring an individual’s personal cookie information requires a little bit of extra effort, it’s most definitely a feasible task.

As Jeremiah Grossman, Chief Technology Officer of WhiteHat Security told Elinor Mills of CNet, “The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access.” Honestly it’s not surprising to see that someone has compromised Facebook’s session system although it definitely required a substantial time investment.

Facebook doesn’t seem to mind about this security threat though. Barry Schnitt told CNet news that, “We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others.” If the FBController tool were to be used to mass control accounts Facebook would know. As Barry Schnitt told CNet, “Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier.”

While Facebook may seem confident in their ability to protect against security holes, this will most definitely force the company to modify their session management algorithm. While most web applications will never be perfectly secure, Facebook has invested heavily in making sure users on the site are protected.

Recently there has been an increased number of phishing attacks and those attacks among others, combined with this software can compromise a large number of accounts. It will be interesting to see what measures takes to increase their security now that this software is available.