Facebook Hacked: How Sidejacking was Used to Circumvent Two Factor Authentication

It was a normal day arriving home.

It had become increasingly common for me to receive friend requests on Facebook from people I have never seen or heard from before, but today was different. I received a notification on my cell phone for a friend request by a man named John Teller. Being otherwise occupied, I swiped to the right, dismissing the notification.

A few moments later, I received another notification about the same Facebook user, John Teller… only this time it was from Messenger. Predicting it was a member of one of my Facebook Groups who wanted to ask me something, I opened it, only to find the following message:

As you can see, I added myself as a friend from your account (check it out, because you didn’t do it). Unfortunately your data is on sale now on the Darknet and I bought it. 

The kit includes: 
– All passwords from all sites 
– Banks 
– Cookies
– Credit cards
– SSN 
– ID Card

Luckily for you, I am a good person and I want to help you. I am ready to delete your data and not transfer it to anyone if you pay me $ 50 in bitcoin. Otherwise, I’ll put your data up for sale again. Please think well, because even if you change the password everywhere, it will not help you, since we keep the cookies from your computer. You will also need to reissue SSN and ID Card.Police will not help you either, we use remote computers with SSH exception. We connect to the Internet via a fake IP. After 2 hours, all IPs will change and there will be no traces. For example, one of your password: [removed]. I am will be wait 1 hour after your read this message.If you block me or do not answer me, it will also lead to a sale.

Before continuing on to read his entire message, I immediately went over to my profile to check out my friends, and sure enough! He was there. Not only did he accept his own friend request from my account, but he sent himself messages back through Messenger… as me.

At that point, I put my phone down, walked into my room, and took out my laptop. I wasn’t sure exactly what was happening, but I knew it wasn’t going to be solved in five minutes from my phone.

I obviously knew from the start that whoever this was, they were not trying to help me as they had claimed, or else they would not be demanding money or using statements like “if you change the password everywhere, it will not help you” and “Police will not help you either, we use remote computers…

I also knew that while this looked like a scam, they not only knew one of my passwords from Pixlr (since removed from the message) but they were able to log into my Facebook account, presumably meaning they had my Facebook password and access to one of the confirmation methods I use for two-factor authentication.

I carefully read his message and thought about how to respond. While I had no plans on paying him $50.00 blindly, I also needed to be careful in how I reacted, seeing as a response he wasn’t fond of could lead to him doing any number of things to my Facebook account, or whatever other accounts he claimed to have access to.

Planning a Response

It was a whole 23 minutes before I responded to his message. During those 23 minutes of my undivided attention, I was seemingly able to dislodge this person from my account by signing out all other web sessions and resetting my password. I also took the time to transfer ownership of my more popular groups to another one of my accounts, so as to not risk losing them.
After doing everything I knew of to sever his access to my Facebook account, I finally returned a response, part of which included:
Depending on my own conclusion, I may or may not consider it worth $50 to pay you. I want to see all information you have on me that you stated, including passwords, SS number, etc. If you have them you will have no problem showing them. If you do not show them, you are not receiving a dime, and I’ll accept the risk that comes with it.
My goal was to give him the chance to prove he was worth my attention, while also making it clear that I was not frightened simply by his message and actions thus far. Being fairly confident that he was no longer in my account, and also knowing that I left room for negotiation in case he actually did have leverage in other areas, this seemed like the best option.
Within two minutes, he responded:

I am not negotiating. If you want to take risks, good.

Upon reading that, it seemed obvious that he did not have anything of further value; if he did, why would he not present it? It often helps to decipher what the goal of a perpetrator is in a case such as this, and his goal was seemingly to make money. Since presenting more passwords or sensitive information would increase the chances (although still very low) of him receiving that money to not resell it, failing to present that information would be nonsensical if he really possessed the amount of data he was claiming to.

By this time, I discovered through quick, scattered Google Searches that there was a Pixlr data breach just months before this happened, which contained almost 2 million usernames and passwords. Upon further analysis, my information had been among that data breach. While this gave me a lot more clarity as to where the Pixlr password he threw at me came from, I was still extremely unnerved by the fact that he was able to seamlessly log into my account without any regard to the unique (and extremely long) password to my account, or to the two-factor authentication I had in place. To my understanding, unauthorized access to any of my high-level accounts such as Facebook could not be achieved remotely, even if I became subject to a phishing attempt, but here I was dealing with exactly that, and I needed to figure out how it happened – immediately, and how to make sure it never happened again.

In the days following, after resetting passwords to other important accounts, clearing my browsing cookies, and deleting saved passwords from my browser, I began researching how on earth someone could log straight into my Facebook account knowing only my email address and an expired Pixlr password. I scrolled through articles on the weaknesses of two-factor authentication, which types are more secure, and how their insecurities could be exploited. I also examined the details of an extremely recent data breach involving Facebook – so recent that it was considered breaking; however that Facebook breach did not contain passwords, just phone numbers, email addresses, and other similar information, all of which could be acquired in my case from simply visiting my own personal website.

Sidejacking: The Culprit

Eventually, I came across something known as sidejacking, which is the process of someone scraping your cookies and using them to log into a website you’re currently visiting. While according to most sources, this method of unauthorized account access is most easily applied to sites using HTTP protocols, it has been successfully utilized by many as a method of gaining unauthorized access to premium streaming services like Netflix, Disney+, or Spotify; and according to PSafe, it is one of the four most popular ways to end up getting hacked on Facebook.

Thankfully for the victim, hackers who use this method are very limited in their capability. According to Computer Hope, while they may be able to slide straight into an account without any regard to credentials or two-factor authentication, their time frame is limited to the length of time the session remains open, which means signing out and signing back in, even without changing your password, will sever their access and prevent them from re-entering. According to Techopedia, targets of sidejacking are generally random by nature, and unless the perpetrator is on the same wifi network, it’s unlikely for a specific target to fall victim to a sidejacking attack.

In the rare case that you or someone you know finds themself in a position that I did, the first thing that should be done is logging out all sessions of your account, logging back in, resetting your password, and going through Facebook’s built-in process of securing your account, in that order.

The Best Cure is Prevention

While someone may be able to do considerable damage inside your account before you are able to remove them, you should make sure that no one can ever overtake your account completely, by enabling two-factor authentication with your phone number or an authenticator app, choosing a secure email account to use for a recovery address, and creating back up codes for your account in case you ever get locked out. You should also have a complex and exclusive password to prevent others from accessing your account through means other than the one described above.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *