FB’s new settings make it easier for hackers to pentest its mobile-owned apps – DigitalMunition

Cryptography FB's new settings make it easier for hackers to pentest its mobile-owned apps

Published on May 29th, 2019 📆 | 2213 Views ⚑


FB’s new settings make it easier for hackers to pentest its mobile-owned apps

Facebook implements new tool to make it easier for Whitehat researchers to find security vulnerabilities

Facebook introduces “Whitehat Settings” feature to help bug hunters analyze traffic in its mobile apps

Facebook last week added a new “Whitehat Settings” feature that allows bug hunters to easily pentest the security of Facebook, Messenger and Instagram applications for Android. This feature allows security researchers to bypass Facebook’s Certificate Pinning security measure.

For those unaware, Certificate Pinning is designed to ensure the security of data transmission of Facebook users and avoid them from being victims of network-based attacks by automatically rejecting website links that use fake SSL credentials. Since almost all Facebook-owned apps by default use Certificate Pinning, it made it difficult for Whitehat researchers to test Facebook-owned mobile apps for server-side security vulnerabilities.

With the introduction of the new option, researchers can now easily bypass Certificate Pinning on the Facebook-owned mobile apps like Facebook’s main app, its Messenger instant messaging client, and the Instagram app by:

  • Disabling Facebook’s TLS 1.3 support
  • Enabling proxy for Platform API requests (applies to Facebook on Android only)
  • Using user-installed certificates for easier traffic interception

“Choose not to use TLS 1.3 to allow you to work with proxies such as Burp or Charles which currently only support up to TLS 1.2,” Facebook says. “These settings are configured in two places. The first is via the Web UI and the second is via the app UI. In other words, to access these settings from your mobile device, you must first enabled them from your Facebook account through the Web,” Facebook notes.

The new feature will allow Whitehat bug hunters to analyze network traffic related to the Facebook, Messenger and Instagram applications when searching for vulnerabilities and report them through the company’s bug bounty program.

If you wish to take advantage of the “Whitehat Settings” feature, you can do so by visiting Facebook’s Settings Page. You can also find additional details and video tutorials on this Support Page.

The social media giant also recommends Whitehat bug hunters to turn off the settings when not testing Facebook’s website to find security vulnerabilities.

Currently, the Whitehat Settings feature is supported only on Facebook’s Android apps, and not on iOS platform.

Source link

Free Download WordPress Themes
Download WordPress Themes Free
Download Premium WordPress Themes Free
Download Best WordPress Themes Free Download
udemy course download free

Tagged with:

Leave a Reply ✍