Editer l'article Suivre ce blog Administration + Créer mon blog
1 décembre 2011 4 01 /12 /décembre /2011 13:46


If you access your Facebook profile, from your cellphone, without using the "facebook app", you'll most likely be redirected to: m.facebook.com.


The problem is that HTTP is being used when you send your email address and password over the network, and not HTTPS! Obvioulsy, this is a pretty bad mistake in security.


For instance, as I train my students to do it (within the lab), it is quite easy to steal a password that is being sent over HTTP, for example with an ARP spoofing attack (and Ettercap or other tools from BackTrack Linux). Let's say that you connect to Facebook using the mobile browser, while being connected to a WiFi... it is then quite simple to launch the spoofing attack!


Therefore I do recommend that people use the official Facebook App, and not the mobile browser, since AFAIK the app uses HTTPS to send credentials to Facebook!


Partager cet article