{"id":132900,"date":"2016-04-26T12:58:00","date_gmt":"2016-04-26T12:58:00","guid":{"rendered":"https:\/\/bm.dev.synology.me\/?p=132900"},"modified":"2016-04-26T12:58:00","modified_gmt":"2016-04-26T12:58:00","slug":"autentificarea-prin-facebook-predispusa-atacurilor-cibernetice-atacatorii-puteau-face-plati-online-in-numele-utilizatorilor-retelei-sociale","status":"publish","type":"post","link":"https:\/\/bm.dev.synology.me\/?p=132900","title":{"rendered":"Autentificarea prin Facebook, predispus\u0103 atacurilor cibernetice: atacatorii puteau face pl\u0103\u0163i online \u00een numele utilizatorilor re\u0163elei sociale"},"content":{"rendered":"<p>\nAtacatorii cibernetici puteau fura identitatea anumitor utilizatori de internet \u015fi s\u0103 le acceseze majoritatea conturilor online unde se pot conecta prin Facebook din cauza unei vulnerabilit\u0103\u0163i \u00een mecanismul de autentificare al Facebook descoperit de speciali\u015ftii \u00een securitatea cibernetic\u0103 ai Bitdefender, potrivit informa\u0163iilor trimise de reprezentan\u0163ii companiei. &nbsp;<\/p>\n<p>\nAutentificarea prin re\u0163ele sociale este o metod\u0103 alternativ\u0103 de conectare la diverse conturi, care le ofer\u0103 utilizatorilor o modalitate mai convenabil\u0103 de a se \u00eenregistra f\u0103r\u0103 a mai completa c\u00e2mpurile de utilizator \u015fi parol\u0103. Cele mai multe site-uri permit conectarea prin Facebook, LinkedIn, Twitter sau Google Plus. Speciali\u015ftii Bitdefender au g\u0103sit o modalitate prin care s\u0103 \u00ee\u015fi asocieze identitatea utilizatorului \u015fi s\u0103 contoleze ne\u00eengr\u0103dit conturile online ale&nbsp;acestuia.<\/p>\n<p>\n\u201eFolosind aceast\u0103 vulnerabilitate \u00een sistemul de login via Facebook, atacatorii pot accesa majoritatea conturilor online ale utilizatorilor care permit autentificarea cu aceast\u0103 re\u0163ea social\u0103. Asta \u00eenseamn\u0103 c\u0103 atacatorii pot face pl\u0103\u0163i \u00een numele utilizatorilor pe site-urile magazinelor online, de exemplu\u201d, spune C\u0103t\u0103lin Co\u015foi, Chief Security Strategist, Bitdefender.<\/p>\n<p>\nPentru ca atacul s\u0103 reu\u015feasc\u0103, adresa de e-mail a victimei nu trebuie s\u0103 fie asociat\u0103 deja unui cont de Facebook, \u00eens\u0103 pot fi folosite adrese alternative de\u0163inute de aceasta. De regul\u0103, utilizatorii de\u0163in mai mult de o adres\u0103 de e-mail, unele fiind publice pe internet \u015fi, deci, se afl\u0103 la dispozi\u0163ia oric\u0103rui r\u0103uf\u0103c\u0103tor. Pentru a verifica identitatea unui utilizator f\u0103r\u0103 s\u0103-i expun\u0103 datele de autentificare, Login prin Facebook folose\u015fte protocolul OAuth, prin care autorizeaz\u0103 ter\u0163ii s\u0103 primeasc\u0103 unele informa\u0163ii despre utilizatori \u00een momentul acces\u0103rii anumitor site-uri.<\/p>\n<p>\nCercet\u0103torii Bitdefender au reu\u015fit s\u0103 ocoleasc\u0103 etapa de confirmare, cerut\u0103 de regul\u0103 \u00een momentul \u00eenregistr\u0103rii pe un site cu o nou\u0103 adres\u0103 de e-mail asociat\u0103 unui cont Facebook. Mai \u00eent\u00e2i, au creat un profil de Facebook, cu adresa de e-mail a victimei asociat\u0103 diverselor conturi pe care le de\u0163ine pe internet.z<\/p>\n<p>\nDup\u0103 ce au creat profilul Facebook cu adresa de e-mail apar\u0163in\u00e2nd victimei, au ad\u0103ugat contului de Facebook \u015fi o adres\u0103 controlat\u0103 de atacatori. Dup\u0103 un refresh al paginii, e-mail-ul victimei este deja validat de Facebook. C\u00e2nd \u00eencearc\u0103 s\u0103 se autentifice pe o alt\u0103 pagin\u0103 folosind butonul Facebook Login cu adresa de e-mail a victimei, i se solicit\u0103 s\u0103 confirme propria adres\u0103 e-mail, nu pe cea ini\u0163ial\u0103, apar\u0163in\u00e2nd victimei. \u00cen set\u0103rile contului de &nbsp;Facebook, atacatorul stabile\u015fte propria adres\u0103 drept contact primar pentru cont \u00een locul adresei de e-mail a victimei.<\/p>\n<p>\n\u00cen consecin\u0163\u0103, atacatorul se conecteaz\u0103 cu succes la conturile online de\u0163inute de victim\u0103, \u00eenregistrate cu adresa de e-mail folosit\u0103 de atacator s\u0103 creeze profilul Facebook, precum cele din magazine online, site-uri de rezerv\u0103ri, aplica\u0163ii personale, etc.&nbsp; Partea care certific\u0103 identitatea \u2013 \u00een acest caz, Facebook &#8211; ar fi trebuit s\u0103 a\u015ftepte p\u00e2n\u0103 c\u00e2nd noua adres\u0103 de e-mail asociat\u0103 contului de Facebook era verificat\u0103. Compania Facebook a remediat vulnerabilitatea dup\u0103 notificarea furnizat\u0103 de c\u0103tre cercet\u0103torii Bitdefender.<\/p>\n<p>\n&nbsp;<\/p>\n<p align=\"left\">\n&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Atacatorii cibernetici puteau fura identitatea anumitor utilizatori de internet \u015fi s\u0103 le acceseze majoritatea conturilor online unde se pot conecta prin Facebook din cauza unei vulnerabilit\u0103\u0163i \u00een mecanismul de autentificare al Facebook descoperit de speciali\u015ftii \u00een securitatea cibernetic\u0103 ai Bitdefender, potrivit informa\u0163iilor trimise de reprezentan\u0163ii companiei. &nbsp; Autentificarea prin re\u0163ele sociale este o metod\u0103 alternativ\u0103 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[510],"tags":[13416,38663,363,8039,16273,7942,13082,15646,9517,7320,10322,171,387,430,33396,5836,539,22547,13690,550,13838,80,262,264,25011],"class_list":["post-132900","post","type-post","status-publish","format-standard","hentry","category-actualitate","tag-asociere","tag-atacatori","tag-atacuri","tag-bitdefender","tag-cercetatori","tag-cont","tag-conturi","tag-detinere","tag-email","tag-facebook","tag-informatii","tag-internet","tag-magazine","tag-majoritate","tag-modalitate","tag-nume","tag-online","tag-permisiune","tag-plati-online","tag-proces","tag-profil","tag-refuz","tag-retele-sociale","tag-utilizatori","tag-victima"],"_links":{"self":[{"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=\/wp\/v2\/posts\/132900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=132900"}],"version-history":[{"count":0,"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=\/wp\/v2\/posts\/132900\/revisions"}],"wp:attachment":[{"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=132900"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=132900"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bm.dev.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=132900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}