Mark Zuckerberg Facebook Fan Page Hack – Who was Behind It?

The fact that Mark Zuckerberg’s page was hacked isn’t all that interesting … but the post-mortem diagnosis of the hack itself is fascinating.

There are some clues left by the person who hacked Mark Zuckerberg’s Facebook fan page on Wikipedia – but what do they add up to?

Let’s follow up some of the trail left in the Mark Zuckerberg Facebook fan page hacking incident.

The only – and best clue – is the link left by the hacker in the status update posted on Zuckerberg’s wall, which reads “Let the hacking begin: if facebook needs money, instead of going to the banks, why doesn’t Facebook let its user invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price [sic] winner Muhammad Yunus described it? http://bit.ly/f26rT3 What do you think? #hackercup2011”

That contains a bit.ly link. Well, you can find out what the original URL is by adding a plus on the end, so: http://bit.ly/fs6rT3+ From which we can see that about 17,000 people clicked the link. Not bad (though we have to say that Julian Assange gets more clicks when he appears on the Guardian … but we digress).

The original, shortened link was actually: http://en.wikipedia.org/wiki/Social_business?h=d044aeb71f4e466a552708fc6e3863ef&thanksforthecup=https://www.facebook.com/photo.php%3Fpid%3D393752%26id%3D133954286636768%26fbid%3D170535036312026

Let’s begin with the second part of the long link – the part that starts “thanksforthecup”: it’s URL-encoded (so “%3D” actually stands for the character “=”, “%26” for “&”) and leads to a Facebook photo page for the Hacker Cup, a competition run by Facebook itself. So the hacker is saying he thinks he should get the cup. OK, we get it.

Now, back to the first part. If you just click the link, you’ll be taken to Wikipedia’s page about social business. But not the latest version – to a specific version in its edit history. That is, to http://en.wikipedia.org/wiki/Social_business?h=d044aeb71f4e466a552708fc6e3863ef – which is not the same, now, as http://en.wikipedia.org/wiki/Social_business. If you open them in two tabs, or just open the first in a tab and click on the “Article” link in the top left, you’ll see it. Go back and forth a couple of times and you might spot the difference. Yes? No? Have a look at this difference page, then. (And look at how it was before that edit.)

Yup, the difference is the addition in the first sentence. Usually, that reads:

“A ”’social business”’ is a non-loss, non-dividend company designed to address a social objective”

. But in the edited (older) version that you get sent to, the phrase

” much like [http://www.romanstwelve.net www.romanstwelve.net]”

has been added. (The square brackets turn the text into a link going out to romanstwelve.net). And what does that site do? It offers “total web consulting” and is based in Pickerington, Ohio.

Crucially, as the picture shows, that edit was only on Wikipedia for two minutes on Tuesday 25 – between 19.17EST and 19.19EST – indicating that the hacker must have created the edit with the link and then deleted it straight afterwards, but kept the link to the version he had edited. Then he encoded the link for the photo and attached it to the Wikipedia link, and stuffed the whole lot into bit.ly. Then, having got the shortened link, he went and updated the status on the fan page. The timing of the change, and its reversion, indicates that this was the same person. You don’t accidentally link to an old version of a page; you’d link to the generic version.

In other words, we might be able to find the hacker if we can find out who changed the Wikipedia page. Unfortunately, it wasn’t done by a registered user. But because of Wikipedia’s clever tracking system, you can see the IP of non-registered users: there it is at the top of the edit page in the screenshot: 131.74.110.168. You can also see what articles machines at that IP address have edited – a very mixed bag–- and also how edits from that IP have been increasingly smacked down by Wikipedia editors (latest on that page coming from October 2009: “Please stop your disruptive editing. If you continue to vandalise Wikipedia, as you did at Lyoto Machida, you will be blocked from editing.”

So who’s behind 131.74.110.168? A quick whois query tells you that it… the US department of defence in Williamsburg.

In other words: this might be someone in the military. Most likely those edits don’t come from one person – they come from all sorts of people in the Williamsburg location. Or, just as possible, it was someone who had hacked into the computers there from outside (not as difficult as you’d hope it would be) and is using them as a proxy to make the Wikipedia edit, and, quite possibly, hack Zuckerberg’s page. (We’ve asked Facebook whether Zuckerberg’s page was accessed from that IP, but haven’t had an answer yet.)

That’s about all the clues we have: a US DOD IP, a transient Wikipedia page, and a link to a web consulting business. We asked Jeremy Reger, of Romanstwelve, if he was involved with or knew who was behind the hacking. His answer is an emphatic no: “Hackers don’t link to pages who then link to pages. I do not have any idea who did the hack.” He added: “I’m sure Facebook would confirm that the IP [address] in the wiki history in not the same IP that “hacked” the fan page.”

That remains to be seen. For now, all we have are the pieces of the hack. Can anyone add more?

guardian.co.uk © Guardian News & Media Limited 2011 | Use of this content is subject to our Terms & Conditions | More Feeds


Link to Original Content

Tags: , ,

Comments are closed.