Today we are sharing all our sensitive information on social networks websites such as Facebook, twitter and more. I have just used a very nice tool that you can use on your lab as a PoC about how it will be possible in a few minutes to download profiles and pages with all pictures locally.
Sometimes we receive invitation from untrusted sources on Facebook and we think to add this person or not, on these cases I send a message to verify the user, actually some users make their profile picture as an image of mountain, a jungle or a beautiful beach and I try to remember them because this can be a friend that I studied with at the school or we know each other from other place.
The tool that you can use is FBPwn, this tool will try several attack on FB directly from a user account so it will do the following:
- Dump friend list
- Add all victim friends
- Dump all users album pictures
- Dump profile information
- Dump photos ( this mean profile pictures)
- Check friends request
- Dump victim wall (here including poke)
- Clone the profiles
FBPwn Screenshots Click to enlarge
All information will be stored locally so even if the victim will remove attacker from his friends list this will be late as this profile is owned. I would recommend this tool as an awareness material for your friends and corporate level to understand risks of sharing information online.
You can download and read more about the tool by following this link: http://code.google.com/p/fbpwn/