Tag Archives: Social Media

Panda Security

Be careful with Facebook! A researcher has hacked it using a Word document

Who hasn’t checked their Facebook page from work? In addition to a distraction, it has been proved that this practice is also a risk to the security of the company. A researcher has hacked the platform using a simple Microsoft Word text document.

like facebook

Mohamed Ramadan is an Egyptian hacker who discovered a bug in Facebook last July that is very dangerous for user security but that had simply gone by unnoticed; it could be hacked with a simple Word document.

It was not discovered by chance; for some time, Ramadan had been looking for possible vulnerabilities to demonstrate his potential as an ethical hacker and he had already done so by finding bugs in the Facebook apps for Android, iOS and Windows. The time had come to go one better and try with the company’s websites and servers.

He knew that this was a significant challenge; not only is it one of the technologies that have implemented the most security measures, but for years many security experts have been reporting and patching new holes. The company had even claimed that all of the holes in its servers had been patched. But it was wrong.

After thoroughly researching the topic, the hacker discovered the website Careers at Facebook, where anyone can look for work in the company and upload their CV. So, he decided to give it a go. To start checking (and find out if the platform was secure), he tried uploading a file where CVs are usually uploaded and he noticed that only .pdf or .docx files were admitted.

careers at facebook

Docx files are compressed files and the data they contain can be modified if they are decompressed. So Ramadan took a .docx file and decompressed it (using the 7-zip program) in order to access its code and modify it. More specifically, he changed a line of code to command this Word document to communicate with a twin file hosted on his computer wherever it was.

Despite his good idea, Ramadan was aware that it could fail. It was probable that even if the modified document were sent to the server, the file would not be able to communicate with the twin file on his computer.

So before uploading the modified Word document to the Facebook server, he checked if it were possible to get a result from uploading this document to any other server (more specifically, to one he programmed for the purpose). The result was as expected; a few minutes after performing the test, the external server that he had just created tried to communicate with his computer, so Facebook’s would too, and it did.

“I forced Facebook’s servers to connect to my computer using a simple Word document,” says Ramadan on his page.

With this trick Mohamed Ramadan was able to contact the data belonging to anyone who had uploaded their CV to the Facebook platform, and also their profiles on the social network and the computers that these people normally use.

facebook message

Therefore, any company’s data could be compromised if its employees use Facebook at work from the company’s computers. In this case the page that had the problem was Careers at Facebook and fortunately, it was Ramadan who detected it. However, the vulnerability on this server could have affected many others, according to the expert.

Although the bug has been fixed – and Ramadan has collected a reward of $6300 – its existence shows that compromising Facebook accounts is easier than it seems.

The post Be careful with Facebook! A researcher has hacked it using a Word document appeared first on MediaCenter Panda Security.

Avast

Posting a privacy notice on Facebook is useless

An old hoax has been resurrected after Facebook made a recent announcement about its updated privacy policy. The copyright message claims to protect users’ pictures, information, and posts under UCC 1-308- 1 1 308-103 and the Rome Statute. It’s seems so official; it just must be true, right? Here is an example that I saw on my newsfeed this morning.

Facebook privacy permission statement is useless

Other variations have come through in the past few days with legal-sounding statements, like this:

“In response to the new Facebook guidelines, I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, professional photos and videos, etc. (as a result of the Berner Convention)….”

The good news is that Facebook users are becoming more aware of privacy issues, and they seek a way to control their own shared media. The bad news is that this notification has no legal standing at all, you are bound to the terms and conditions that you agreed to when you signed up with Facebook, and you are annoying your friends.

The truth is that YOU own all of the content and information you post on Facebook, and YOU can control how it is shared through your privacy and application settings. If you neglect to look at those settings, you grant Facebook a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any content that you post on or in connection with Facebook.

In tomorrow’s blog, we will share the top 3 areas in Facebook where you need to make sure the privacy is set to your liking.

Avast

We like the ‘Oversharing on social media’ message aired during Sugar Bowl

In last night’s broadcast of the Sugar Bowl, a showdown of two power-house college football teams in the USA, Allstate Insurance, aired a series of brilliant commercials about the risk of over-sharing on social networks. The social media team at Avast has been preaching this message for a while now, so we were happy to see this clever series of advertisements.

The ads are about a couple who shared on social networks that they were away from their house, actually attending the game. Allstate’s “Mayhem” character took advantage of this knowledge and broke into their unoccupied house, and proceeded to have a “MayhemSale” of all their possessions. “Buy Matt & Shannon’s stuff now at MayhemSale.com,” he announced, then soon after took to Twitter to sell off items one-by-one. I immediately visited the website, but apparently there were so many other interested people, that it kept crashing.

Burglars can easily search Facebook or Twitter for targeted keywords or see who has checked into airport lounges on Foursquare. According to FBI statistics, summertime is the most active for burglaries and oversharing can tip off thieves to your absence. Homeowners should be extra vigilant about protecting their goods.

Our advice – be extremely cautious what you share on social media, and wait until after you are back to share your vacation pictures.

 

Panda Security

Why has Twitter logged me out?

Twitter outage
You may have woken up this morning to find a Twitter notice asking you to re-enter your Twitter account details. Has your password been stolen? Was this a case of identity theft?

Relax! Just follow a few simple steps and your Twitter account will remain perfectly safe.

The popular micro-blogging network suffered a worldwide outage last night that prevented many users from accessing the service normally for a few hours.

According to Twitter’s information service, Twitter Status, the problem started early morning (CET) and although it is now resolved, some users may still have problems accessing their accounts.

Accounts that appear to have been closed, old messages appearing as recent on timelines… these are some of the effects of the bug that hit the social network.

Have you been affected by this incident?

The post Why has Twitter logged me out? appeared first on MediaCenter Panda Security.

Panda Security

Christmas contest! – Help us to get a safe Christmas!

Christmas contest

As you have no doubt seen, these days we have been posting a series of articles to help ensure everyone enjoys a safe and happy Christmas! We want to help you to be able to shop online without any unpleasant surprises, and avoid falling for any of the typical Christmas scams that are doing the rounds at this time of year.

That’s why we have organized this competition, in order to reward you for helping our content to reach across the globe.

What can you win? Well, we’ve spoken to Santa and he’s going to leave various presents under the Panda Christmas tree. On December 23 and 29 and on January 2, we will reveal the prizes on offer each week to those who share our content.

How can you take part? It’s easy! Share on Facebook or RT on Twitter all the content we post with hashtag #xmaspanda. Prizes will be drawn among those who do this on the days included in the competition.

We will announce the winners on January 12 in this blog. So keep your eyes open!

Remember, Share or RT the posts with #xmaspanda and you could win great prizes.

The post Christmas contest! – Help us to get a safe Christmas! appeared first on MediaCenter Panda Security.