Initial Observation

It was quite unexpected to see this huge Security Flaw in Facebook. I was quite surprised and shocked once  it came to my notice  during My research on Facebook Security. I must say Facebook had done a great Job with their Security Measure.But Sometime it harms the Security System unknowingly when the developers try to improve it. Same things has happened with the Facebook here. 

When we Create our account in any Social Network or anywhere else 99.99% of the user never read the Terms and Condition before going ahead.Here I have mentioned only two types of terms given by Facebook.

1. Sharing Your Content and Information
   
   You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:
   1. For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
   2. When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).
   3. When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you.  We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information.  (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Use Policy and Platform Page.)
   4. When you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture).
   5. We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use them without any obligation to compensate you for them (just as you have no obligation to offer them).
       
2. Safety
   
   We do our best to keep Facebook safe, but we cannot guarantee it. We need your help to keep Facebook safe, which includes the following commitments by you:
1. You will not post unauthorized commercial communications (such as spam) on Facebook.
2. You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.
3. You will not engage in unlawful multi-level marketing, such as a pyramid scheme, on Facebook.
4. You will not upload viruses or other malicious code.
5. You will not solicit login information or access an account belonging to someone else.
6. You will not bully, intimidate, or harass any user.
7. You will not post content that: is hate speech, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence.
8. You will not develop or operate a third-party application containing alcohol-related, dating or other mature content (including advertisements) without appropriate age-based restrictions.
9. You will follow our Promotions Guidelines and all applicable laws if you publicize or offer any contest, giveaway, or sweepstakes (“promotion”) on Facebook.
10. You will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory.
11. You will not do anything that could disable, overburden, or impair the proper working or appearance of Facebook, such as a denial of service attack or interference with page rendering or other Facebook functionality.
12. You will not facilitate or encourage any violations of this Statement or our policies.

I know most of you reading this blog may not have seen this before although it has clearly mentioned in Facebook Terms and condition.

What I'm trying to say with this two points is If someone is not following the rules then the security will be less and obviously all most all Security threats comes from an Insider. It can be any one your friends,brother,colleagues or anyone who knows you very well. So In terms of Facebook Security the first threat comes from your friend.For hacking anyone's account you need not to be a hacker always Obviously I will Not explain the whole process here through this blog but I'll give few screen shots because otherwise everyone will start hacking their friends account.I know the guy who sounds good technically will found the right way from the screen shots i gonna show here in this blog.

According to Facebook:-

Recovering your account through friends is a secure alternative for proving your identity when you can’t remember your password and can't access any of the email accounts connected to your Facebook account. Because your privacy and security are very important, we can only reset your account login information after we carefully check your identity. 

Please note that not all Facebook accounts are eligible for this process.

1. We’ll help you choose a few trusted friends to prove that this is your account.
2. We'll send each of your chosen friends a security code.
3. You can call these friends, collect your codes, and follow our instructions to submit the codes and reset your password.

Its not a big deal for the hacker to have three fake account where he can get this security code. Instead of sending the codes to the user the hacker can use the codes and get into the account.So here I'm explaining only few steps to hack anyone's Facebook account(Full explanation I'll not give here publicly).To do that what you have to know is the user's e-mail id or the phone number and if you know him/her personally then well and good.I hope none of you reading this blog will miss use the information and will take it in a positive way to secure your own account as because all of us running under massive security threat.

Screen Shot 1

It can be hackers own ID..The victim will not have any idea about it.Even he'll not get any notification in his mobile or mail.

Screen Shot 2

For Security reason victim's name and photos are hidden here.

Screen Shot 3

 

Screen Shot 4

In this above picture assume this user as an hacker who is stealing your account.

Screen Shot 5

Finally the hacker got the access of your account.He can easily login to your account using this security code.For Security Reason the victim's name and photos I'm not showing here.

Thanks all for reading my blog.My intention was to show the Security flaw in Facebook to Secure all the facebook community.