How to (Really) Hack Facebook.
As a rule of thumb, if anyone offers to you teach things like “Hacking Facebook”, you can be sure that they are talking out of their ass. If a website has an article on it, it’s usually just clickbait.
As of August 2019, I have received over 300 emails and almost as many tweets asking me to hack their girlfriends Facebook or to peek at their husband’s messages to see if he’s cheating and so on.
Just the sheer volume has compelled me to address this. It is quite clear that these sorts of questions are always only asked by someone who doesn’t know very much about programming. Not only that but the purpose is clearly malicious and not educational.
The short answer is: No, you can’t hack Facebook.
However, in this article, we’ll review a few broader techniques that could indirectly lead to a hacker being allowed access to your Facebook account (and probably more). We’ll also discuss why these techniques will fail under most circumstances. I must warn you though, this is meant for strictly educational purposes. Actually performing these activities with malicious intent may constitute a criminal offense. Regardless, if your victim is tech-savvy and keeps their programs updated, there is very little scope for a hacker to get through.
1. Phishing
Today, phishing attacks are still quite prevalent, which is why you should always take a quick peek at the URL before you type in any confidential information. Luckily, major browsers like Chrome warn users when they are about to enter a malicious website. This alone stops the majority of phishing attacks from ever happening.
It is also quite obvious to the victim when they have just been “phished”. Say, the user enters their username and password into a phishing website, what then? The user expects to be logged in. There is no way for a third party (like a hacker’s phishing website) to start a genuine facebook session in the user’s browser. This is due to the same-origin policy.
The other possibility is that the victim is already logged in (a session is currently active) and if they see another login page i.e., your phishing website, they’ll know that something is clearly wrong.
In both cases, the victim will become aware that they are being targeted. That is of course if the phishing website is able to successfully fool the browser.
All in all, if users keep their software updated and remain vigilant, they are largely protected against most phishing attacks. Nevertheless, there are always security holes in all systems. Even if you do manage to pull this off, even if you gain a victim’s password to an online account such as Facebook or say, Google, you still won’t gain access to their accounts.
So, phishing is a no go. Good for users, bad for hackers.
2. Keyloggers
This one’s pretty self-explanatory. If you have access to the victim’s device that they often log in from, you simply install a keylogger that runs in the background and logs all the keystrokes. Then, if you’re lucky they victim’s account information will be just sitting there in the log.
But alas, it’s not that simple. There are a couple of major difficulties with this:
- Antivirus: Today’s antiviruses are excellent at catching files that even remotely mimic malicious behavior. Most antiviruses automatically quarantine any such files and report their detection to the user immediately. But depending on the circumstances, you may be able to get around this:
- Disable the antivirus. Pretty obvious, but if you are certain that the victim will not notice that the antivirus is not running, this is a pretty good way to go.
- Whitelist the keylogger file in the antivirus exclusion list. Nearly all antiviruses allow you to pick files or folders that may be exempted from scanning thereby whitelisting our malicious software, the keylogger. This is the preferred approach if the victim is likely to notice the antivirus not running. However, some antiviruses do routine scans of programs that are currently residing in the computer’s memory. If the whitelist is not applicable to this memory scan, the keylogger’s background process will again be blocked. Therefore, it is recommended to thoroughly test the keylogger before actually putting it to use.
- If the victim is extremely tech-savvy, say an experienced programmer, they might be able to manually spot the keylogger running in the background process while checking the task manager. However unlikely, this is still a possibility. While you’re testing the keylogger, be sure to look at the list of background processes and see if the keylogger’s process has a very obvious name. It wouldn’t be very subtle if your victim could simply spot Definitely-Not-A-Keylogger.exe running in the background.
- What if you don't have access to the device? How many people let you freely use their device? How many people do you give your own devices to? This is a major roadblock. One that can only be overcome by proper hacking.
3. Proper hacking
Things like keyloggers and phishing can hardly be called real hacking. These are excuses and shortcuts and not real hacks. Do not let this discourage you, but I must be a bit tough now. If you truly wish to learn to hack, you should probably aim for something a little less petty than hacking someone’s Facebook account. This is not what this website is meant to be and most people who’ve arrived at this page are looking for a quick and easy trick that does not exist. People like these put a bad name on hacking.
No comments: