Is this a valid way to hack into Facebook applications? (and possibly Facebook)?

1. 开发者_StackOverflow中文版Your friend connects to Facebook and checks "remember me".
2. Facebook creates a cookie on the browser.
3. Your friends goes to the bathroom.
4. You steal your friend's cookies from his browser and its data.
5. You go home and make these cookies with that data.

Assuming Facebook does not associate cookies + IP, you can gain access to the Facebook page. Edit: True, Facebook does not check for IP.

Now, let's take a look at Facebook Connect. This is the key.

1. User "connects" by pushing the button.
2. Facebook sets a cookie on the browser , which your application backend will read from to determine if the user is authenticated. Then, you associate this FB-cookie-id with the user in YOUR system.

If your system does not check for IP, then theoretically faking the cookie will allow you access into the application that used Facebook Connect. Which then you can gain access to the application,

Is it valid to say that you should check for IP when doing Facebook connect to add a level of security? But even if you do, some people have commented about IP Spoofing.

@everybody who says "Physical Access":

Yes, I agree that the concept of physical access makes this question trivial. However, this is a hole that the APPLICATION must be aware of. Sure, the Facebook profile/worthless application wouldn't matter much...but What if the application was a banking system? All I am saying is that if Citibank or Bank of America used "Facebook Connect" (which would be stupid, but let's assume), then this method would prove to be an easy way to access their account.

Therefore, Facebook Connect should NOT be used with anything "important". Right?

Another option is, after your friend goes to the bathroom, you can steal his wallet and use the cash inside to bribe his girlfriend into giving you his Facebook password, thus rendering all of his applications using Facebook Connect vulnerable.

Then you have the issue of going around WiFi networks, which would make the "remember me" option useless

No. To steal your friend's cookies you need physical access to the machine, and if you have that everything stored there is vulnerable to you. There's nothing Facebook can, or should, do to prevent this.

There are plenty ways that you can follow in order to hack a facebook account. For example you can begin by learning a few basic hacking methods(there are thousands of them) and try to combine them together. Some of them are:

• Keylogger.
• Denial of Service (DoS\DDoS)
• Waterhole attacks.
• Fake WAP.
• Eavesdropping (Passive Attacks)
• Phishing.
• Virus, Trojan
• ClickJacking Attacks.
• etc

Ofc, there are a lot of tools there on the internet that might help you, some are free(most of them are fake) and some are paid(few of them are fake. There was a website for example in Netherlands that was for free and it managed to hack 3 accounts out of 10 for me depending on their security protection. You can give it a try here.

Good luck!