“Who visited my Facebook profile?”, “Who unfriended me from their Facebook Friend list?”, “Who saw my Facebook posts?” are some of the most searched queries on google. Facebook users want these features that aren’t available by default.
You may have that one friend on Facebook who is very fond of his/her friend list on facebook. In fact you may have many and maybe you maybe one of them. They send friend request to many and accept from people they don’t even know. They check their friend list daily and when they see the number of friends go down, they just can’t think of who unfriended them.
To find out who, these users try out different software and apps that can alert them if anyone unfriended them on facebook. On of those software is Facebook UnfriendAlert. To use this software you first need to provide your facebook login credentials to give access to your friend list. But beware, as this software/app can hack your facebook account.
Hackers make use of this weakness and often design malicious programs in order to victimize broad audience. While Unfriend Alert does not do anything inherently malicious to the system, its practices may still hold a threat to users who are not careful.
According to Malware Bytes Lab – UnfriendAlert, a free application that notifies you whenever someone removes you from the Facebook friend list, has been found collecting its users’ Facebook credentials.
How It Can Steal your facebook password
The image below shows the traffic while installing and using Unfriend Alert to sign into a Facebook account. The yellow area shows Unfriend Alert reaching out to it’s own domain “yougotunfriended.com” in order to show a “thank you for installing” webpage. The green traffics are the secure SSL traffic between the system and Facebook servers.
After login, the Facebook side of this app will show information about the profile, most users don’t see this because of Unfriend Alerts user interface.
On close inspection, analyzing the Wireshark traffic from the same communication, we will see the application beacon out once again to it’s domain, sending a “GET” request which was originally mistaken as a means for the application to send stolen Facebook credentials. In reality, the application is simply downloading the script required to parse through the friend list and log that information into a sqlite database file, located only on the user’s system. This file is then used by the application to compare between parses and provide the user with information as to who unfriended them.
Anyone familiar enough with malware analysis knows that GET requests can be used to not only retrieve information but also send it, in the form of custom designed requests that actually include dynamic data, which is later stored by the remote command and control servers and used to steal personal information from the user. A lot of botnet malware utilizes this trick. With that being said, we were too quick to jump to conclusions concerning whether or not Unfriend Alert was stealing passwords.