Facebook Glitch Exposes User Accounts

A serious flaw has been discovered that allowed anyone to basically login to other’s Facebook account without the need of a password.

The flaw, which was posted on The Hacker News website, uses a search string. When you google this search string, around 1.34 million results of different Facebook profiles are obtained and when you click on some of the links, you will automatically log in to the profile associated with that particular link.

The flawed links are the ones that are mailed to users to notify them of comments or other notifications. These are designed to help users to respond quickly to those notifications without having to login. Those URLs are designed in such a way that they will only work once, Matt Jones, a Facebook engineer said in a comment made at the Hacker News.

For a search engine to come across these links, the content of the emails would need to have been posted online.

Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible.

Facebook has now disabled the feature to protect its users and is helping exposed users with securing their accounts. Most of the exposed users are said to be from Russia and China.

Anatomy of a Phishing Email

Phishing is a popular method of social engineering employed by scammers. A scammer posing as someone else uses popular communication medium such as email or telephone to contact a victim and request confidential information. This information is used for purposes such as withdrawing money illegally from the victim’s account or even identity thefts.

Identifying a phishing email is easy if you keep in mind certain basic fine points. I will be explaining these points with the help of an old phishing mail that circulated around 2007.


1. Generic Salutation – Phishing emails usually begin with ‘Dear User’ or ‘Dear sir/madam’ rather than specific salutation used in legitimate important mails.

2. Time frame – Usually, a sense of urgency is portrayed in phishing emails in order to make the victim anxious so that he acts in haste.

3. Threat – A threat is generally associated with the time frame so that as mentioned above, the victim is forced to act in haste. Usual threats include cancellation of accounts, charging of credit cards etc.

4. Suspicious links/Request for confidential information – While some phishing mails ask the victim to reply with certain information such as credit card numbers or PIN, others provide a web page where the victim can enter this information.

If the email asks you to reply with your password or any other sort of confidential information, you can be absolutely sure that it is a phishing mail. No company will ever ask you to send your password or credit card number by email.

In case of email with links, see if the link is pointing to the location which it is supposed to. Phishers usually use a text which looks like a URL which is linked to a phishing page. For example, it will look like google.com, but it will be pointing to some other webpage. If you hover your mouse over the link, your browser will display the actual hyperlink.


You can also use a link scanner extension with your browser for extra security. I use the link scanner from Virus Total called VTChromizer. You just have to right click the link and select ‘Scan with Virus Total’. You can also use scanners from AVG, McAfee etc.

5. Poor language– Most probably, authors of phishing emails might not be someone you could depict as masters of the English language. So, there might be grammatical, punctuation and spelling mistakes. Although it is not necessary that every phishing email will have mistakes, most of them that I have seen was not perfect on the language side.

Another equally important way to fight phishing is to make sure that the email came from the right source. If you get an email from Amazon, check whether it came from something like no-reply@amazon.com rather than something like [email protected]

All of today’s major email providers have spam filters that will detect phishing mails and all major browsers have anti-phishing features, such as, the ‘Smart Screen’ for IE9 which can effectively protect you from phishing attempts. And now, with these simple tips, you can hopefully detect those one or two phishing mails that sneak into your inbox.

Government Employees Fooled by Greeting Card Trojan

email from uncle samThe U.S. Government seems to be leaking a lot these days. After the WikiLeaks scandal, and the leak of the plan to stop leaks, we’ve heard about another leak. Two days before Christmas, an unknown number of government employees opened a greeting email that looked like it was from the White House. Normally, that’s no big deal, but this email contained a surprise gift.

Here’s what it said:

As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.

Greeting card:


Merry Christmas!
Executive Office of the President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500

People clicking on the links in this phishing email, downloaded a trojan called ZeuS. If they installed it, their computers proceeded to send out all of the Word and Excel documents to a hacker’s website. It appears that this hacker only wanted information that he could later sell.

Here’s what the greeting card website looked like.

trojan-ecard from krebsonsecurity.com

(image from KrebsOnSecurity)

I don’t think I should have to tell everyone this, but you should never have to download a greeting card. If you are asked to do this, exit the web page immediately.

Someone should have told the government employees about stuff like this. Very sensitive documents were stolen because the employees didn’t know about the high-risk practice of downloading from unknown websites.

Some of the documents were identified as coming from such places as the National Science Foundation, the Massachusetts State Police, the Financial Action Task Force, the Millennium Challenge Corporation, and many other .gov sites.

The US Government is now proposing that people use an Internet ID card to protect their privacy. Would you trust them to know how to guard   your private information?

[via krebsonsecurity]

Fake Warnings and Hoaxes on Facebook – Are You Smart Enough to Avoid Them?

joker Every time I hear about a new scam or hoax on Facebook, I have to wonder how people can fall for these. Don’t be fooled, a few minutes of research can save you some embarrassment. Here’s an example of one of the hoaxes that’s been going around.

Fox 4 news reported… ATTENTION !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! do not join the group that runs currently on facebook with the title “becoming a father or mother was the greatest gift of my life” This is a group created by pedophiles whose aim is to access your photos!!!!!!!…!!!!! Please rotate …this post to all Your Friends on Facebook xx

In truth, there were no groups started by pedophiles. It was all a big hoax, but it got passed along in Facebook and email so often that it took on a life of it’s own. Originally, there were no groups with that name or a similar name, but some other pranksters created similar groups, just to see how much trouble they could start. It even got to the point where people were creating groups to protest the original (hoax) groups. I was tempted to laugh when I read about this hoax, but I’m also sad that there are so many people ready and willing to post stuff like this in their Facebook page or email.

Read the truth about the Pedophile Group Hoax

Here’s another one – would you pass on this picture and description?

Whale swallows man in kayak


Find out the truth behind this photo.

I found out about these hoaxes from an old friend of mine, Brett Christensen. He runs a website, newsletter and Facebook page that reveals the truth and the lies behind many of the rumors, hoaxes and scams you see in email and Facebook.

If you don’t want to be fooled, it only takes a minute or two in a search engine to find the truth. I recommend going to three different sites to perform a quick search before you pass on the next fantastic message you get.

Search Hoax-Slayer



I also recommend signing up for the email newsletters from Hoax-Slayer and Snopes.

Hoax-Slayer newsletter (monthly)

Snopes newsletter (weekly)

In case you want up to date info, here’s the Facebook page for Hoax-Slayer that Brett maintains. Just post a question on his wall and he’ll probably answer back with all the facts he can find.

It’s not a sin to be fooled by an email or Facebook post. However, you won’t be gaining any friends and credibility by passing on stupid rumors and hoaxes. Take the time to check them out.

I’ve never been fooled by a hoax or a scam in Facebook (or email), have you?

Safe Surfing and Email with Web of Trust

wot-icon[Windows, Mac, Linux] Web of Trust (WOT) is an addon or extension that identifies risky or dangerous links and websites while you are using your web browser. This addon is available for Internet Explorer, Firefox and Google Chrome web browsers. There is also a bookmarklet for Browsers such as Opera and Safari.

Here’s what the WOT website says about their product:

Protect yourself from online scams, sites with adult content, spam and other Internet threats. The WOT community has rated millions of websites so you can search, shop online and surf for fun without worrying.

When the WOT addon is installed in a web browser, it displays safety information about web sites in two different ways.

First, there will be a WOT icon at the top of the browser next to the address bar. It will be colored green, yellow or red to show you the general rating of the web page you are currently viewing.


If you click on this icon, you’ll be able to see more details about the ratings.


The detailed ratings are broken down into four categories: Trustworthiness, Vendor Reliability, Privacy and Child Safety. As you can see, Techie Buzz is a winner in all four areas.

The second way that WOT displays it’s ratings is while you are searching at one of the popular web search engines. Ratings are shown for Google, Yahoo, Ask, Bing and Froogle.


As you can see, there is a colored icon next to each search result. Clicking on the icons there also gives you more detailed information about each site. You won’t have to worry if it’s safe to click on search results once you have WOT installed.

Some online email services are also covered by the link identification from WOT. Here’s what my Gmail looks like in Firefox. This also seems to work in Yahoo Mail, Live Mail and AOL Mail.


The WOT addon will make your online email far safer to use.


Download the WOT addons for Firefox, IE and Chrome

The WOT Bookmarklet for Opera and Safari

For those who don’t wish to install anything at all in their browser, I’ve found an online search engine which uses WOT to rate the search results.

Safe Search:

Try SurfCanyon’s WOT Search

Techie Buzz Verdict:

There are several other services that offer similar addons or toolbars to make surfing more safe. WOT is my favorite and it supports the widest range of web browsers.

Techie Buzz Rating: 4/5

How to Send Anonymous Email

wl-mail There are many reasons why a person might be afraid to send a normal email message to someone. The person sending the email could:

  • lose a friendship
  • anger a family member
  • lose a job
  • get sued
  • get arrested
  • get hurt or killed

There’s also another reason.

It might be fun! How would you like to send an email that looks like it came from the President, Tax Office or Police? The possibilities for mischief are endless.

Whatever the reason, there are many resources available to those who need to send an anonymous email. The easiest methods are online services. Below I’ll list the top three for you.

send-email.org simple plain text

anonymouse.org simple plain text

deadfake.com html (rich text)

green-check-mark I checked these services for safety using SiteAdvisor.

These email sites are easy to use. You’ll only need to fill out:

  1. From: (make something up)
  2. To: (who is this email for?)
  3. Subject: (what’s the email about?)
  4. Message: (give them the bad news)

Typically, no attachments are allowed and you’ll have to fill out a captcha form to keep the spammers from using these services.

See also: Send Anonymous Tweets With ShhTwitter

Now you’re either ready to save the world, a friendship or get a good laugh. Let me know if you have your own special way to send out secret email, by adding your comment below.

Gmail’s Got Your Back, Rolls Out HTTPS as Default

Gmail has always been widely under attack, however, most of the times user’s account are compromised because of phishing, rather than because of the lack of security @Gmail.


HTTPS or HTTP_Secure, is a secure way of transmitting data to and fro on the web. Unlike HTTP, HTTPS data is encrypted before a transfer occurs. This makes data transfered through HTTPS hard to snoop on, and allows users a safer way to browse the web.

Gmail did have an option for users to use HTTPS as default, through a feature. Today, Google graduated the feature out of labs. This means that all Gmail users will now automatically start using HTTPS by default. Users have an option to disable HTTPS by default by visiting “Settings -> Labs” and choosing “Don’t always use https”

However, HTTPS alone cannot save you from being hacked. There are several other ways in which you can protect your online accounts. The first rule is, NEVER click on links in emails sent by strangers. The second rule is, NEVER download content that are sent by strangers.

You can also make use of a Gmail Labs feature called Anti-Phishing Key, which allows you to distinguish between legitimate and spam email. However, this feature has a limited scope and only supports eBay and PayPal right now.

If your Gmail account is hacked, you might want to read what steps you should perform in order to check the safety of your Gmail Account