Updated on: January 8, 2017
As a rule of thumb, if anyone offers to you teach things like “Hacking Facebook”, you can be sure that they are talking out of their ass. If a website has an article on it, it’s usually just clickbait.
So, what are we doing here then?
As of January 2017, I have received over 3000 emails and almost as many tweets asking me to hack their girlfriends Facebook or to peek at their husband’s messages to see if he’s cheating and so on.
Just the sheer volume has compelled me to address this. It is quite clear that these sort of questions are always only asked by someone who doesn’t know very much about programming. Not only that but the purpose is clearly malicious and not educational.
The short answer is: No, you can’t hack Facebook.
However, in this article we’ll review a few broader techniques that could indirectly lead to a hacker being allowed access to your Facebook account (and probably more). We’ll also discuss why these techniques will fail under most circumstances. I must warn you though, this is meant for strictly educational purposes. Actually performing these activities with a malicious intent may constitute a criminal offense. Regardless, if your victim is tech-savvy and keeps their programs updated, there is very little scope for a hacker to get through.
Phishing has been explained in detail here. In a nutshell, it involves creating an identical copy of the login page, hosting it on a server that you control and tricking the victim into entering their login information which then makes it’s way to you.
Today, phishing attacks are still quite prevalent, which is why you should always take a quick peek at the URL before you type in any confidential information. Luckily, major browsers like Chrome warn users when they are about to enter a malicious website. This alone stops the majority of phishing attacks from ever happening.
It is also quite obvious to the victim when they have just been “phished”. Say, the user enters their username and password into a phishing website, what then? The user expects to be logged in. There is no way for a third party (like a hacker’s phishing website) to start a genuine facebook session in the user’s browser. This is due to the same-origin policy.
The other possibility is that the victim is already logged in (a session is currently active) and if they see another login page i.e., your phishing website, they’ll know that something is clearly wrong.
In both the cases, the victim will become aware that they are being targeted. That is of course, if the phishing website is able to successfully fool the browser.
All in all, if users keep their software updated and remain vigilant, they are largely protected against most phishing attacks. Nevertheless, there are always security holes in all systems. Even if you do manage to pull this off, even if you gain a victim’s password to an online account such as Facebook or say, Google, you still won’t gain access to their accounts.
All respectable internet companies have extensive anti-hacking measures in place. If a user tries to log in from, say a distant IP address or a new unknown device (one that hasn’t been used with that account previously), the login attempt will most likely be blocked unless the user trying to log in can successfully confirm their identity. And this involves tasks such as answering security questions or typing in a little code sent to the user’s phone. Not only this but the real user gets a message regarding weird activity on their account.
So, phishing is a no go. Good for users, bad for hackers.
This one’s pretty self-explanatory. If you have access to the victim’s device that they often login from, you simply install a keylogger that runs in the background and logs all the keystrokes. Then, if you’re lucky they victim’s account information will be just sitting there in the log.
But alas, it’s not that simple. There are a couple major difficulties with this:
- Antivirus: Today’s antiviruses are excellent at catching files that even remotely mimic malicious behavior. Most antiviruses automatically quarantine any such files and report their detection to the user immediately. But depending on the circumstances, you may be able to get around this:
- Disable the antivirus. Pretty obvious, but if you are certain that the victim will not notice that the antivirus is not running, this is a pretty good way to go.
- Whitelist the keylogger file in the antivirus exclusion list. Nearly all antiviruses allow you to pick files or folders that may be exempted from scanning thereby whitelisting our malicious software, the keylogger. This is the preferred approach if the victim is likely to notice the antivirus not running. However, some antiviruses do routine scans of programs that are currently residing in the computer’s memory. If the whitelist is not applicable to this memory scan, they keylogger’s background process will again be blocked. Therefore, it is recommended to thoroughly test the keylogger before actually putting it to use.
- If the victim is extremely tech savvy, say an experienced programmer, they might be able to manually spot the keylogger running in the background process while checking the task manager. However unlikely, this is still a possibility. While you’re testing the keylogger, be sure to look at the list of background processes and see if the keylogger’s process has a very obvious name. It wouldn’t be very subtle if your victim could simply spot Definitely-Not-A-Keylogger.exe running in the background.
- What if you dont have access to the device? How many people let you freely use their device? How many people do you give your own devices to? This is a major roadblock. One that can only be overcome by proper hacking.
3. Proper hacking
Things like keyloggers and phishing can hardly be called real hacking. These are excuses and shortcuts and not real hacks. Do not let this discourage you, but I must be a bit tough now. If you truly wish to learn hacking, you should probably aim for something a little less petty than hacking someone’s Facebook account. This is not what this website is meant to be and most people who’ve arrived at this page are looking for a quick and easy trick that does not exist. People like these put a bad name to hacking.
It takes effort to learn penetration testing, it may take months before a beginner can get a grasp on a programming language, perhaps years before they can develop their own exploits. This is what real hacking looks like. If you wish to go down this road, there are tons of resources out there to help you (this website, for one).