Acegi – Security Framework for Java Applications

Almost by its very nature, one of the most tedious and difficult aspects of application development is security, specifically authentication and authorization. Most multi-user applications need to confirm that a user is whom he says and then has appropriate authorized access to the necessary resources. Therefore, security is often one of the most important aspects. The collision of these factors has the impact of making security forgetful, error prone, and potentially dangerous, especially for enterprise applications.

While the J2EE specification and JAAS, the Java Authorization and Authentication Service, provide a step in the right direction, they are far from complete. Every application server vendor is free to implement container security differently nor are they required to use JAAS. This leads to portability and user management constraints. Furthermore, it still does not approach security in the manner as described above- as an aspect.

Enter the Acegi Security framework, an open source security framework designed for Spring. Created by Ben Alex, the framework has begun to gather a loyal following for its comprehensive list of features, excellent unit test coverage, ease of use, and loosely coupled integration with Spring. While the framework was purposely designed for Spring, there is no reason it could not be used with non-Spring applications, especially web applications.

An introduction to Acegi, its core components, and configuration via Spring’s application context. With this knowledge, we will learn how to implement authentication and authorization services for a simple web application.


Before deciding to grant or deny access to a resource, the user must provide the appropriate security identification. For this reason, Acegi provides two key interfaces for providing authentication services — Authentication and AuthenticationManager. Let’s examine each of these to find out how they form a complete authentication system.

The Authentication interface which holds three important objects. The first object is the principal, which identifies the caller (user). The second object are the credentials that provide proof of the identity of the caller. For traditional logins, this is the username’s respective password. The final object contained by the Authentication interface is and array of the authorities granted to the principal.

During the authentication process, an implementation of the Authentication interface is populated with the principal and credentials by client code. For example, a web application presents the user with a prompt for username and password. The supplied username and password are then used to create the Authentication object. Yet, that still leaves one of the three contained objects empty, the array of granted authorities. Here is where the AuthenticationManager plays its role in the authentication chain.

AuthenticationManager specifies a single method, authenticate.

public Authentication authenticate(Authentication authentication) throws AuthenticationException;

This method takes the two-thirds populated Authentication object as a parameter. From there, the method has two options, either return a fully populated Authentication object or throw an AuthenticationException. If the correct principal and credentials were provided, theAuthenticationManager does the former by returning a fully populated Authentication object. It supplements it by populating the authorities granted to the authenticated principal. Should authentication fail, an AuthenticationException is thrown that represents the reason why via a number of subclasses.

The most important subclasses are BadCredentialsExceptionDisabledException, and LockedException. As one would imagine, the first is thrown when an incorrect principal and credentials are provided. The other two are thrown when the principal account is either disabled or locked out, respectively. Therefore, the credentials were not checked and authorization has been denied.

Authentication Providers

While the above interfaces are important, especially to developers creating custom authentication mechanisms for Acegi, the primary value for most is an understanding of the authentication chain. Most developers should consider using one of the provider-based authentication packages included. The most popular implementation of the AuthenticationManagers is the ProviderManager.

For all practical purposes, the ProviderManager is nothing more than a wrapper around a list of one or more AuthenticationProvidersprovided to the class. During authentication, the wrapper class cycles through the list of AuthenticationProviders until a compatible provider is located. Once located, the authenticate method of the AuthenticationManager delegates to that specific provider. In response, the provider either returns the fully populated Authentication object or throws an AuthenticationException. As expected, the cumulative result of all providers is returned from the wrapper (ProviderManager).

Several AuthenticationProviders implementations are provided with the Acegi Security System, including those for JAAS and JBoss authentication. For this article, we will be using the DaoAuthenticationProvider, which is able to authenticate a username and password combination against a repository, such as a database or in-memory hash. This provider is easy to understand, configure, and demonstrate. However, readers should examine the other providers to determine the one that suits their needs best.

With each level of abstraction and delegation comes flexibility. In the case of the DaoAuthenticationProvider, it delegates to an implementation of the AuthenticationDao interface, which has a single method, loadUserByUsername. This method that takes a username and loads the respective user details to verify for authentication by InMemoryDaoImpl Developers are free to create their own implementation, for example, using Hibernate; however, Acegi ships with two very usefully implementations, a JDBC-based and memory-based. For simplicity, this article will use the latter, InMemoryDaoImpl.

Enough with the explanation and abstraction, let’s begin by configuring the aforementioned components starting with theAuthenticationDao. (This article assumes the user is vaguely familiar with Spring XML configuration.) The configuration below creates an instance of the InMemoryDaoImpl with a user named “matthew”. This user has a password of “contegix” and a granted authority of “ROLE_ADMIN”.


<bean id="memoryAuthenticationDao">
    <property name="userMap">

Excellent. The next step is to create an instance of the InMemoryDaoImpl with the memory authentication DAO listed as a provider.


<bean id="daoAuthenticationProvider">
     <property name="authenticationDao">
         <ref local="memoryAuthenticationDao"/>

Finally, let’s take the next step up and create the authentication managers with the DAO authentication provider as the sole provider.


<bean id="authenticationManager">
    <property name="providers">
            <ref bean="daoAuthenticationProvider"/>

At this point, the authentication manager is fully configured and ready for use. The next step is to tie this into our fictional web application.

There are a number of ways to perform authentication for web applications. The most prevalent are Basic Authentication as defined by RFC 1945, Section 11 and pure HTTP Session Authentication. For our fictional application, we will use the latter.

Acegi performs HTTP session authentication through the use of a servlet filter. The filter, AuthenticationProcessingFilter, processes information from a programmed login form containing two parameters — j_username and j_password. One unique aspect of the Acegi authentication filter is the fact that it delegates to a bean proxy defined in Spring’s application context using FilterToBeanProxy. Therefore, all Acegi filters will be configured using as an instance of this class and must be provided either a targetClass or targetBean via an initialization parameter that points to the bean in the application context. The application context bean is configured with the parameters for authentication rather than the filter.


    <filter-name>Acegi Authentication Processing Filter</filter-name>

    <filter-name>Acegi Authentication Processing Filter</filter-name>


<bean id="authenticationProcessingFilter">
    <property name="authenticationManager">
        <ref bean="authenticationManager"/>
    <property name="authenticationFailureUrl">
    <property  name="defaultTargetUrl">
    <property name="filterProcessesUrl">

Let’s look at the properties passed in the AuthenticationProcessingFilter bean. The first property is relatively self-explanatory. It is a reference to the configured authentication manager. Obviously, the bean will utilize this to proceed through the authentication chain.

If authentication fails, the browser will automatically be redirected to the URL specified by authenticationFailureUrl. If authentication is successful, the browser will be redirected to the protected URL that forced the authentication. This allows the user to be automatically returned to what he was trying to access. If no resource was specified, for example when the user directly accesses the login URL, thedefaultTargetUrl property specifies where the user will be redirected.

Finally, the filterProcessesUrl is the URL by which this filter will be activated. For the developer, this URL should be specified as the action parameter in the HTML form.

Now that our fictional application can authenticate users, let’s begin placing access constraints on resources.


The concept of Security Interception is key to protecting resources under Acegi. Prior to access to the resource, interception determines whether or not the resource should be protected. If so, interception examines who made the call (the principal) and whether or not access should be granted. Based upon the result, the interceptor either allows the request or not. Let’s examine in-depth how this process occurs.

Tracing the chain of authorization, the security interceptor receives access to a protected resource. Assuming the user is authenticated, it delegates to an implementation of the AccessDecisionManager, which receives key parameters such as the authenticated Authentication object and resource properties, among others. The final decision for access is left in the hands of theAccessDecisionManager.

While developers are welcome to implement a custom AccessDecisionManager when appropriate, most circumstances allow for use of the implementations that are based upon the concept of voting. Acegi currently ships with three implementations of AccessDecisionManagerthat tally votes — ConsensusBased, UnanimousBased, and AffirmativeBased. The ConsensusBased implementation grants or denies access based upon the consensus of non-abstain votes. As the name suggests, the UnanimousBased implementation requires unanimous consent in order to grant access but does ignore abstains. Finally, the AffirmativeBased implementation grants access if at least one access granted is received while deny votes are disregarded.

The question that should come to mind is how does a voting AccessDecisionManager determine which way to cast a vote. Here is whereAccessDecisionVoters play a role in the authorization decision chain. The sole shipping implementation of this interface is the RoleVoter, which grants access if the principal has been assigned the role. Role assignments are the elements of its granted authority array of the respective authenticated Authentication object. In other words, if a resource requires a role of SUPERVISOR, the user will be granted access if it is listed as one of its granted authorities when he authenticated.

For the case of our fictional application, the UnanimousBased implementation with the RoleVoter will suffice for our minimalist needs; however, it is truly important to understand the complex structure and role of AccessDecisionManagers in Acegi. Please consult the reference documentation to learn more.

Let’s configure the authorization system by crawling back up the chain, starting with the RoleVoter and UnanimousBased.


<bean id="roleVoter"/>

<bean id="accessDecisionManager">
    <property name="allowIfAllAbstainDecisions">
    <property name="decisionVoters">
           <ref local="roleVoter"/>

The RoleVoter exists as a simple bean instantiation with no properties. The UnanimousBased has two properties configured. The first one determines whether or not access should be granted if all AccessDecisionVoters abstain. The second is a reference to the instantiatedRoleVoter.

The next step is to configure the security interception system. In the case of web applications, security interception is done using a servlet filter – SecurityEnforcementFilter — in combination with the FilterSecurityInterceptor. These two objects work in conjunction to provide authorization access decisions for URL-based resource. For the most part, the filter handles session management and URL redirection for user login (as specified by an AuthenticationEntryPoint object) while delegating to the interceptor for security decisions.

As before, the filter utilizes the FilterToBeanProxy class to retrieve an instantiated bean from the application context.


    <filter-name>Acegi HTTP Request Security Filter</filter-name>>


    <filter-name>Acegi HTTP Request Security Filter</filter-name>


<bean id="securityEnforcementFilter">
    <property name="filterSecurityInterceptor">
        <ref bean="filterInvocationInterceptor"/>
    <property name="authenticationEntryPoint">
        <ref bean="authenticationEntryPoint"/>

<bean id="authenticationEntryPoint">
    <property name="loginFormUrl">

<bean id="filterInvocationInterceptor">
    <property name="authenticationManager">
        <ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager">
        <ref bean="accessDecisionManager"/></property>
    <property name="objectDefinitionSource">
            /secure/.* =ROLE_USER,ROLE_SUPERVISOR

Starting from the bottom, a FilterSecurityInterceptor is declared and passed both the authentication manager and the access decision manager. Furthermore, the object receives a set ObjectDefintionSources. Each value provides specific meanings. The first value informs the interceptor to convert all URLs to lowercase before evaluating. PATTERN_TYPE_APACHE_ANT is an instruction detailing the format of the final two values. It tells the interceptor to examine the remaining parameters using Apache Ant style pattern matching rather than the default pattern matching using regex. (This is a personal preference of the author and is not required.)

The final two values are URL patterns to secure. The left-hand side of the equals is the URL pattern while the right-hand side details the roles necessary for casting a grant vote. In this example, anything under /secure/super/ will only be accessible by principals who have aSUPERVISOR role while /secure/ will be accessible to principals with either the USER or SUPERVISOR role.

The AuthenticationEntryPoint will be called if a user requests a protected URL when they are not authenticated. Finally, the targetClassbean is declared and passed the reference to the AuthenticationEntryPoint and the FilterSecurityInterceptor.

Voila! Our example application now has everything it needs to protect at least two URL resources based upon roles and perform authentication.


Acegi is one the best security framework available for the Java platform. Even though the configuration utilizes Spring, this article demonstrate the power of the system while showing there is no reason why it can not be used even when not integrating Spring into your application. Furthermore, the entire framework serves as an excellent example of extensibility through abstraction

Leave a comment

Posted by on May 19, 2012 in Uncategorized


Tags: , ,

jQuery vs MooTools – Which One Is The Best?

These two frameworks just aren’t trying to do the same things. They overlap in the functionality they provide, but they are not trying to do the same things

Opposite Directions

MooTools is aimed more at JavaScript developers, while jQuery is more for people who want to implement JavaScript functionality in the easiest possible way.

jQuery is for people who aren’t necessarily interested in delving deep into JavaScript while MooTools provides an object-oriented framework for hardcore JavaScript development. This is why most people find MooTools harder to use in comparison to jQuery.

jQuery makes working with the DOM easier. MooTools makes working with all of the JavaScript language – not just the DOM – easier.

Both are fantastic libraries/frameworks and I think the better question for you to ask is

Which one should I use for this project

This can be determined by circumstances beyond your control e.g. The project leadership has already selected a framework for you, or the application development framework you are developing on is already using one over the other – and you may wish to avoid bloating-up your application with multiple libraries and increasing load times (not to mention script conflicts).

Different Camps

Here’s an example of what the world’s most popular PHP content frameworks have chosen:

Drupal – jQuery
WordPress – jQuery
Joomla – MooTools

I work in each of these environments and I recommend to anyone doing the same to view jQuery and MooTools as tools – not competitors. You might simple prefer the one over the other, at the end of the day they are just JavaScript; and there’s a right one (tool) for the job at hand.

Leave a comment

Posted by on October 30, 2011 in Uncategorized


Power Of Social Media-Revolution.

Watch the Video and See For Yourself How Powerful,Lethal and Amazing is Social Media’s Impact in each one’s daily Life.


Leave a comment

Posted by on October 6, 2011 in Uncategorized


How Does Facebook Work? -Technologies Used

Social networking is the art of connecting with those who share common interests. Your “˜network’ is a community that helps keep you united with others and offers many benefits. Networking via social media sites has revolutionized how we use the Internet and is at the forefront of what we now call Web 2.0.

Facebook is social networking. People have been “facebooking” each other for about 6 years now, making Facebook the most used social network with over 350 million users worldwide. But how does Facebook work?

In this article, I will discuss Facebook’s inner workings, covering its architecture and frontend/backend infrastructure””the nuts and bolts that hold Facebook together.

How Does Facebook Work?””The Front End

Facebook uses a variety of services, tools, and programming languages to make up its core infrastructure. At the front end, their servers run a LAMP (Linux, Apache, MySQL, and PHP) stack with Memcache. Not a computer science expert? Let’s take a look at exactly what that means.

Linux & Apache

how does facebook work

This part is pretty self-explanatory. Linux is a Unix-like computer operating system kernel. It’s open source, very customizable, and good for security. Facebook runs the Linux operating system on Apache HTTP Servers. Apache is also free and is the most popular open source web server in use.


how does facebook work

For the database, Facebook utilizes MySQL because of its speed and reliability. MySQL is used primarily as a key-value store as data is randomly distributed amongst a large set of logical instances. These logical instances are spread out across physical nodes and load balancing is done at the physical node level.

As far as customizations are concerned, Facebook has developed a custom partitioning scheme in which a global ID is assigned to all data. They also have a custom archiving scheme that is based on how frequent and recent data is on a per-user basis. Most data is distributed randomly.


how does facebook work

Facebook uses PHP because it is a good web programming language with extensive support and an active developer community and it is good for rapid iteration. PHP is a dynamically typed/interpreted scripting language.


how facebook works

Memcache is a memory caching system that is used to speed up dynamic database-driven websites (like Facebook) by caching data and objects in RAM to reduce reading time. Memcache is Facebook’s primary form of caching and helps alleviate the database load.

Having a caching system allows Facebook to be as fast as it is at recalling your data. If it doesn’t have to go to the database it will just fetch your data from the cache based on your user ID.

Downsides to Using LAMP

Facebook has realized that there are downsides to using the LAMP stack. Notably, PHP is not necessarily optimized for large websites and therefore hard to scale. Also, it is not the fastest executing language and the extension framework is difficult to use.

how facebook works

Mike Schroepfer, Facebook’s Vice President of Engineering, recently did an interview atEmTech@MIT concerning this. “Scaling any website is a challenge,” Schroepfer said, “but scaling a social network has unique challenges.”

He went on to say that unlike other websites, you can’t just add more servers to solve the problem because of Facebook’s “huge interconnected dataset.” New connections are created all the time due to user activity.

Facebook has grown so quickly that they are often faced with issues regarding database queries, caching, and storage of data. Their database is huge and largely complex. To account for this, Facebook has started a lot of open source projects and backend services.

How Does Facebook Work?””The Back End

Facebook’s backend services are written in a variety of different programming languages including C++, Java, Python, and Erlang. Their philosophy for the creation of services is as follows:

1. Create a service if needed

2. Create a framework/toolset for easier creation of services

3. Use the right programming language for the task

A list of all of Facebook’s open source developments can be found here. I will discuss a few of the essential tools that Facebook has developed.

Thrift (protocol)

Thrift is a lightweight remote procedure call framework for scalable cross-language services development. Thrift supports C++, PHP, Python, Perl, Java, Ruby, Erlang, and others. It’s quick, saves development time, and provides a division of labor of work on high-performance servers and applications.

Scribe (log server)

Scribe is a server for aggregating log data streamed in real-time from many other servers. It is a scalable framework useful for logging a wide array of data. It is built on top of Thrift.

Cassandra (database)

how facebook works

Cassandra is a database management system designed to handle large amounts of data spread out across many servers. It powers Facebook’s Inbox Search feature and provides a structured key-value store with eventual consistency.

HipHop for PHP

HipHop for PHP is a source code transformer for PHP script code and was created to save server resources. HipHop transforms PHP source code into optimized C++. After doing this, it uses g++ to compile it to machine code.


In a nutshell, that’s Facebook. This article could easily be 37 pages longer if I were to go into more detail, but to answer the question “How does Facebook work?” I think this will suffice. If you look past all of the features and innovations the main idea behind Facebook is really very basic””keeping people connected. Facebook realizes the power of social networking and is constantly innovating to keep their service the best in the business.

Did you find this article useful? Leave your thoughts, comments, and ideas below!

Leave a comment

Posted by on October 5, 2011 in Uncategorized


10 Essential Fundamentals to User Interface Design

1. Know your user

“Obsess over customers: when given the choice between obsessing over competitors or customers, always obsess over customers. Start with customers and work backward.” – Jeff Bezos

Your user’s goals are your goals, so learn them. Restate them, repeat them. Then, learn about your user’s skills and experience, and what they need. Find out what interfaces they like and sit down and watch how they use them. Do not get carried away trying to keep up with the competition by mimicking trendy design styles or adding new features. By focusing on your user first, you will be able to create an interface that lets them achieve their goals.

2. Pay attention to patterns

Users spend the majority of their time on interfaces other than your own (Facebook, MySpace, Blogger, Bank of America, school/university, news websites, etc). There is no need to reinvent the wheel. Those interfaces may solve some of the same problems that users perceive within the one you are creating. By using familiar UI patterns, you will help your users feel at home.

Graphic comparing an email inbox with CoTweet's inbox
CoTweet uses a familiar UI pattern found in email applications.

3. Stay consistent

“The more users’ expectations prove right, the more they will feel in control of the system and the more they will like it.” – Jakob Nielson

Your users need consistency. They need to know that once they learn to do something, they will be able to do it again. Language, layout, and design are just a few interface elements that need consistency. A consistent interface enables your users to have a better understanding of how things will work, increasing their efficiency.

4. Use visual hierarchy

“Designers can create normalcy out of chaos; they can clearly communicate ideas through the organizing and manipulating of words and pictures.” – Jeffery Veen, The Art and Science of Web Design

Design your interface in a way that allows the user to focus on what is most important. The size, color, and placement of each element work together, creating a clear path to understanding your interface. A clear hierarchy will go great lengths in reducing the appearance of complexity (even when the actions themselves are complex).

5. Provide feedback

Your interface should at all times speak to your user, when his/her actions are both right and wrong or misunderstood. Always inform your users of actions, changes in state and errors, or exceptions that occur. Visual cues or simple messaging can show the user whether his or her actions have led to the expected result.

Screenshot of BantamLive's interface showing that it provides feedback with a loading action
BantamLive provides inline loading indicators for most actions within their interface.

6. Be forgiving

No matter how clear your design is, people will make mistakes. Your UI should allow for and tolerate user error. Design ways for users to undo actions, and be forgiving with varied inputs (no one likes to start over because he/she put in the wrong birth date format). Also, if the user does cause an error, use your messaging as a teachable situation by showing what action was wrong, and ensure that she/he knows how to prevent the error from occurring again.

7. Empower your user

Once a user has become experienced with your interface, reward him/her and take off the training wheels. The breakdown of complex tasks into simple steps will become cumbersome and distracting. Providing more abstract ways, like keyboard shortcuts, to accomplish tasks will allow your design to get out of the way.

8. Speak their language

“If you think every pixel, every icon, every typeface matters, then you also need to believe every letter matters. ” – Getting Real

All interfaces require some level of copywriting. Keep things conversational, not sensational. Provide clear and concise labels for actions and keep your messaging simple. Your users will appreciate it, because they won’t hear you – they will hear themselves and/or their peers.

9. Keep it simple

“A modern paradox is that it’s simpler to create complex interfaces because it’s so complex to simplify them.” – Pär Almqvist

The best interface designs are invisible. They do not contain UI-bling or unnecessary elements. Instead, the necessary elements are succinct and make sense. Whenever you are thinking about adding a new feature or element to your interface, ask the question, “Does the user really need this?” or “Why does the user want this very clever animated gif?” Are you adding things because you like or want them? Never let your UI ego steal the show.

10. Keep moving forward

Grandpa Bud: If I gave up every time I failed, I would never have invented my fireproof pants!
[Pants burn up, revealing his underwear]
Grandpa Bud: Still working the kinks out a bit.

from Meet the Robinsons

Meet the Robinsons is one of all time great movies. Throughout the movie Lewis, the protagonist, is challenged to “keep moving forward.” This is a key principle in UI design.

It is often said when developing interfaces that you need to fail fast, and iterate often.

When creating a UI, you will make mistakes. Just keep moving forward, and remember to keep your UI out of the way.


Posted by on October 2, 2011 in Uncategorized


My Top 5 Social Media Dashboard Tools

Have you ever wished if all your favourite social networking sites could be accessed simply via a simple Dashboard kind of structure.! Well ! Then may be your wish has come true long time back .The following Article throws light on some of the top social media dashboard Tools.

So Get Going Guys !!!

1.Threadsy: Unify your email, social networks

Threadsy is an intuitive, easy-to-use dashboard that allows organizations to connect through multiple email accounts as well as Facebook and Twitter. Free to use, Threadsy is great for managing your nonprofit or business’s brand from one clean dashboard across the big names in social media platforms. With no fees and no downloads, this service should make a splash in the space for both personal use and use by your organization.


2.Myweboo: Organize your information streams

Haven’t heard of Myweboo? That’s OK. This upstart startup invites users to discover, browse and read popular streams and share them with friends and followers. You or your organization can choose from a wide variety of “applications” to connect to and stream to a dashboard from categories like news, social, fashion, photo and video. These streams can be viewed together of filtered from “My Dashboard” and then easily shared via Facebook, Twitter, LinkedIn, Flickr, Delicious and other networks. You’re in complete control of which sites will make up your dashboard. Free to use, Myweboo is run by an appealing brother-and-sister pair of young tech stars


3.Hootsuite: Integrate all your platforms

My personal favorite is Hootsuite because of the depth of its products and services. Nonprofits and cause organizations can update multiple social media platforms (Twitter, Facebook and more) from a computer or iPhone, Android or BlackBerry device. A team of users can track results of their interactions and create a dashboard that will work efficiently with their preferred social streams. Hootsuite offers two versions. One is free and aggregates up to five social network and two RSS feeds; it stores stat history for 30 days and is ad supported. For $5.99 a month, your organization can enjoy unlimited capabilities for a single user, with each additional user costing $10 per month.


4.Spredfast: For teams of social marketers

Spredfast allows an organization not only to manage its social media presence but also to monitor and measure its voice across multiple social media channels from one easy-to-use dashboard. A great choice for organizations with multiple hands in social media marketing efforts, Spredfast offers superb organizational tools that help identify and assign tasks to multiple users across multiple social media sites ranging from Facebook and Twitter to LinkedIn and blogging platforms. It also lets you publish video to many video sites at once, similar to TubeMogul. Free for 30 days, Spredfast has pricing tiers that start around $212 per month for nonprofits. See the new writeup on Spredfast on our sister site,


5.MediaFunnel: Collaborative, permission-based system

Coordinate and manage your nonprofit’s social media presence with MediaFunnel, a collaboration platform that lets you navigate and moderate online conversations about your brand. One interesting feature: You can use MediaFunnel to manage your team member’s social media updates — say, by holding your intern’s tweets in a queue until approved by a supervisor (roles include admins, publishers and contributors). Chiefly geared to businesses, MediaFunnel makes it easy to combine several social media accounts and to offer solutions for presenting a brand’s presence through multiple voices. Scheduled tweets, brand alerts and tweets via email or SMS are supported.


Leave a comment

Posted by on September 28, 2011 in Uncategorized


Facebook Security Vulnerability ! I can Hack your Facebook Password.

A major security flaw on Facebook: Allows you to Bypass Security Question of your Friend and Reset the password with the Help of 2 Mutual Friends. That is once you Bypass the Security Question, Facebook will then ask you to Verify your Account with the help of 3 Friends.

Note: If you haven’t set your Security Question yet, then Please do not Bother to set any Because its useless. The Most Important thing you got to do now is “Register your Mobile” on Facebook if you haven’t yet. If you have had already chosen your Security Question, then please read this post carefully to know how you can protect yourself from this attack.

Everyone knows that most of the websites prompt their users to select security question, so that in case you forget your password, you can easily reset it. But when it comes to Facebook, things can become worst if you have selected your security question. There is a easy way to Bypass Facebook’s Security Question.

Go to Facebook’s Forgot password page and enter any of the details of your Friend and click search. Facebook will now search appropriate account that is associated with the information you provided. Select you account and Click “This is My Account”. Next Facebook will present to you the available options to recover your account.

facebook hacking

Now Click “No Longer have access to these?” and Facebook will now ask for New email addresse, so that it can send you messages about recovering your account. Enter the New email address and click Submit and as expected there is also another level of security called “Security Question”. Now here comes the Critical vulnerability.. Interestingly If you Provide wrong answers three times in a row, you will Just Bypass this level of security and Facebook will now provide another interesting way to get back your account with the help of 3 friends.

facebook friend hacking

As you can see above there are Three Steps involved in the the recovery process. First you will have to select 3 Trusted Friends for the help (If you are trying to hack your friends password, then you may select yourself and 2 more friends).

Note: Please select Trusted Friends only because any of the Friend can potentially gain access to your friends Facebook account through standard password recovery Process.

Once you Select 3 Trusted Friends of yours, Facebook will then email Security codes to each of your selected Friends. Now your Job is to call your Friends and Get the 3 Security codes. Once you collect the 3 security code, enter them one by one in step 3. Finally Facebook will then allow you to reset your password through standard email recovery process.

Important: Note that The Victims account will be locked for 24 hours after this password change and also the user’s old email address will receive a notification of the password change including  the names of the 3 friends who were involved in this password change. Yes you guessed it right, you could also create 3 fake profiles and add them to your victims friends list first and then carry out this hacking Process.

How do i Protect Myself from This Attack ?

As you can see we easily Bypassed Facebook’s Security Question, There is No use of setting any security Question. If you haven’t Selected any Security Question on Facebook, Just sit back and hang loose , don’t Bother to set any. Just Register your Mobile on Facebook.

Note: Its Important that you Register your Mobile on Facebook.

Unfortunately it is not possible to update or Remove your account’s security question once you have added one. So guys If you have had already added Security Question in your Account Settings, You are at Risk. So to avoid this attack,  you will need to Update your ‘Account Security‘ In Account Settings.

    1. Go to Account Settings and Click ‘Account Security‘. You will See the Below Options:

Facebook's Security Question vulnerability

  1. Check all the Three options. When you check the third option called “Login Approvals”, Facebook will then add another level of Security to your account. ‘Login approvals’ is a security feature that requires you to enter a code that Facebook will text to your phone when you log in from an unrecognized computer
  2. Never Friend or Accept friend requests from people you don’t know.
  3. If by chance anybody resets your password through this attack,  your email address will receive a notification of the password change including  the names of the 3 friends who were involved in the password change. You will then have only 24hrs to act on it, So Always Check you email everyday.
  4. In case if your planning to go for a vacation, Never Update your Status saying you “I will be offline for some days” or similar to that. Your vacation is enough for a hacker to compromise your account.
1 Comment

Posted by on September 17, 2011 in Uncategorized