All good pentesters have their own “survival kit” with a lot of tools and scripts grabbed here and there. Here is a new one released a few days ago: FacebookPasswordDecryptor.
“FacebookPasswordDecryptor – small, simple, free, and yet truly reliable application that helps you recover stored Facebook account passwords, quickly and easily. Truly great little tool that works like a charm. Highly-recommended.”
Again, the well-known social website is a nice target for pentesters. But this time, no brute-force attack nor invasive cracking. The real targets are just the tools used to store the credentials and their poorly implemented security. More details about how the applications store the Facebook passwords is available here.
Once installed, it will scan stored data of the following applications:
- Internet Explorer (all versions from 4 to the newest)
- Google Chrome
- Opera Browser
- Paltalk Messenger
- Miranda Messenger
If interesting stuff is found, just click on “Show password” to reveal it:
You can install the tool in your regular Windows environment but, even more interesting, there is a portable version which can be used right from an USB stick…
As a conclusion (or reminder), do NOT store your passwords in your browsers/instant messaging applications! Use a strong password manager.
The application can be downloaded here.
All ff users/browsers should have a master password.
I added a Firefox Master Password and that stopped this tool. Unless I am missing something, it’s not doing anything you couldn’t do with the Options menu in Firefox, anyway.