New Settings Let Hackers Easily Pentest Facebook, Instagram Mobile Apps

Haythem Elmir
0 1
Read Time1 Minute, 58 Second

Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications.

Since almost all Facebook-owned apps by default use security mechanisms such as Certificate Pinning to ensure integrity and confidentiality of the traffic, it makes it harder for white hat hackers and security researchers to intercept and analyze network traffic to find server-side security vulnerabilities.

For those unaware, Certificate Pinning is a security mechanism designed to prevent users of an application from being a victim of network-based attacks by automatically rejecting the whole connection from sites that offer bogus SSL certificates.

Dubbed « Whitehat Settings, » the new option now lets researchers easily bypass Certificate Pinning on the Facebook-owned mobile apps by:

  • Disabling Facebook’s TLS 1.3 support
  • Enabling proxy for Platform API requests
  • Using user-installed certificates

« Choose not to use TLS 1.3 to allow you to work with proxies such as Burp or Charles which currently only support up to TLS 1.2, » Facebook says.

facebook whitehat setting hackers

Whitehat Settings is not visible to everyone by default. Instead, researchers have to explicitly enable this feature for their Android apps from a web interface on the Facebook website, as shown.

« To ensure the settings show up in each mobile apps, we recommend you sign out from each mobile app, close the app, then open the app and sign in again. The sign in process will fetch the new configuration and setting updates you have just made. You only need to do this once, or whenever you make changes to these settings, » Facebook says.


Once enabled, you’ll see a banner at the top of your app (Facebook, Messenger, or Instagram) indicating that the network testing is enabled and your traffic may be monitored.

If you want to test the Instagram app for security vulnerabilities using the newly-launched Whitehat Settings, you are first advised to link your Instagram app with your Facebook app.

It should be noted that Whitehat Settings are not meant for everyone to use, as it reduces the security for Facebook apps installed on your device.

How do you feel about this new setting? Let us know in the comment box below.

Source: https://thehackernews.com/2019/03/facebook-whitehat-setting-hackers.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Warning: ASUS Software Update Server Hacked to Distribute Malware

Remember the CCleaner hack? CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017. Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS. A […]