Your SlideShare is downloading. ×
  • Like
Trusted Friend Attack: Guardian Angels Strike
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Trusted Friend Attack: Guardian Angels Strike

  • 1,463 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,463
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
23
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. TRUSTED FRIEND ATTACK: GUARDIAN ANGELS STRIKE Atalk byAshar Javed @ HackIn The Box,14- 17 October 2013 Kuala Lumpur,Malaysia (HITBSecConf2013)
  • 2. GRAPH IS BIG http://theweek.com/article/index/239514/4-things-we- learned-from-facebooks-confounding-earnings-report
  • 3. WHO AM I?
  • 4. A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB , GERMANY A STUDENT WORKING TOWARDS HIS PHD LISTED IN ALMOST EVERY HALL OF FAME PAGES @soaj1664ashar
  • 5. SOME OF YOU WILL WISH FOR THIS FEATURE ...
  • 6. A SHORT STORY https://twitter.com/dimitribest/status/230677638358900736
  • 7. A PASTE@PASTEBIN http://pastebin.com/ajaYnLYc
  • 8. WHO TO BLAME? http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html
  • 9. AFTER TESTING 3 TO 4 RANDOM ACCOUNTS FROM THE PASTEBIN'S PASTE I FOUND
  • 10. AN INNOCENT QUESTION ... WhyisFacebook asking onsomebody's account? This is me This isn't me & What would beyour answer, if you arean attacker :-)
  • 11. LEGITIMATE PASSWORD RECOVERY FLOW You haveanemail addressbutFORGOTYOUR PASSWORD
  • 12. STEP (1) Go To https://www.facebook.com/ Click "Forgot YourPassword?"
  • 13. Provideemail address andclick on "Search"button! STEP (2) Enter Your Email,Phone,Username or Full Name https://www.facebook.com/login/identify?ctx=recover
  • 14. STEP (3) Choose your "Password Reset Method" & click"Continue"
  • 15. STEP (4) A Receivedpassword secret codeviaemail
  • 16. Enter code thatyou have receivedinemail & click"Continue" STEP (4) B Entry-Point for the SECRET CODERECEIVED:
  • 17. STEP (5) Set "New Password"
  • 18. STEP (6) WelcometoFacebook, MSc.Ashar
  • 19. INFORMATIVE EMAIL FROM FACEBOOK
  • 20. WHAT IF YOU LOST OR FORGOT BOTH EMAIL ADDRESS + PASSWORD
  • 21. FACEBOOK HAD A SOLUTION NAMED TRUSTED FRIENDS (TF)
  • 22. ""TF IS BASED ON SOCIAL AUTHENTICATION"" & "BringingSocialtoSecurity "isGOOD BUT ...
  • 23. http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf
  • 24. TRUSTED FRIENDS FEATURE Introduced in October 2011 ( ) https://www.facebook.com/notes/facebook- security/national-cybersecurity-awareness-month- updates/10150335022240766
  • 25. TRUSTED FRIENDS "It'ssort ofsimilar to givinga house key to yourfriendswhen you go onvacation--pick the friends youmost trustincaseyou need theirhelp" https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness- month-updates/10150335022240766
  • 26. TRUSTED FRIENDS ACCORDING TO READWRITE: "" Who Wants ToBeA Millionaire" lifelineconcept- except it's not a one-timedeal." http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTq
  • 27. GUARDIAN ANGELS http://sophosnews.files.wordpress.com/2011/10/facebook- security-infographic.pdf
  • 28. HOW TRUSTED FRIENDS FEATURE WORKS?
  • 29. LIST # 1
  • 30. LIST # 2
  • 31. LIST # 3
  • 32. REVIEW FRIENDS
  • 33. ENTER CODES & GAIN ACCESS TO YOUR ACCOUNT
  • 34. SCREEN-SHOT OF FAKE PROFILE
  • 35. 4 DIGIT CODE
  • 36. ANOTHER INFORMATIVE EMAIL TO LEGITIMATE USER FROM FACEBOOK
  • 37. 600,000+ COMPROMISED ACCOUNT LOGINS EVERY DAY ON FACEBOOK, OFFICIAL FIGURES REVEAL ( )HTTP://GOO.GL/FNP27Q by https://twitter.com/gcluley
  • 38. @GCLULEY NOTED IN HIS POST HTTP://GOO.GL/FNP27Q
  • 39. QUESTION YOU MIGHT THINKING ...
  • 40. THREAT MODEL Attacker isonvictim's friends'list &cancreatenew email address(es) thatare requiredfor compromising accounts. Attacker can onlyleverage "forgot yourpassword"functionality inorder to compromise accountsand atthe same timewedon't consider "compromisingofanemail accountsoflegitimate user(s)"
  • 41. EMAIL ADDRESS MUST BE NEW FOR EVERY TARGET
  • 42. FACEBOOK FRIEND VS REAL LIFE FRIEND http://blogs.mcafee.com/consumer/fake-friends
  • 43. A SHORT FUN STUDY Created3 FAKEACCOUNTS andsend Friendship requeststo TWENTY ( 20 ) friends of mine on Facebook. After some time, 8 friendshave acceptedall3 requests
  • 44. DATA SCIENCE OF THE FACEBOOK WORLD On average aFacebook user has 342 friends! DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR JUST FACEBOOK FRIENDS OR WHAT ...? http://blog.stephenwolfram.com/2013/04/data-science-of-the- facebook-world/
  • 45. SUMMARIZE EVERYTHING ABOUT FACEBOOK & REAL LIFE FRIENDS http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/
  • 46. TRUSTED FRIEND ATTACK (TFA) Inorder to startTFA, we needvictim's Facebookusername and FYI, it is PUBLIC INFORMATION & part of FacebookURL. e.g., https://www.facebook.com/ashar.javed
  • 47. " " ONCE TARGET SELECTED Repeatthe "Forgot YourPassword" processas mentioned before until STEP (3) i.e., No longer haveaccesstothese?
  • 48. NO LONGER HAVE ACCESS TO THESE? sometimes opensthefollowingdialog box(old &new version) :) HOWAWESOMETHEY ARE?:-) https://www.facebook.com/recover/extended Inorder to findtheanswer of" sometimes ",I didan empirical study (discusslater).
  • 49. QUESTIONS... How canFacebook bindthis new emailaddress or phone number tothe legitimate user's address or phone? How can Facebookdifferentiatebetweenanaccountrecovery procedurestarted bya legitimateuser and the one startedby an attacker? Is it evenpossible? Ithink NO!
  • 50. CREATE NEW EMAIL ADDRESS AND ENTER IN THE PREVIOUS DIALOG BOX & HERE YOU HAVE:
  • 51. QUESTION WhyisFacebook exposingtheoneselected PRIVATE SECURITY QUESTION in front ofthe ATTACKER? Facebook is providinganoptiontotheattacker thathe canselect from two routes i.e., 1. Answer SecurityQuestion 2. Choose Three Friends of Attacker's Choice
  • 52. TFA'S VARIATIONS/FORMS 1. Involveoneattacker i.e., the casewhere attacker will answer theexposedsecurity question 2. Involvethree friendsi.e., the casewhere attacker chooses three friendsofhischoice
  • 53. ATTACKER CHOOSES TRUSTED FRIENDS PATH
  • 54. ATTACKER'S CHOICES Do selection offriends in anormalmanner evenwithout POST-DATA manipulation ( works 100%) Tryto sendcodes to hiscontrolledaccounts thatarenot on victim's friendlist.( Doesn't work) Tryto sendcodes to an attacker's controlled accountsthat are on victim'sfriendlist but not in the presented listsoftrusted friends. (works 50% ) Tryto sendcodes to an attacker's controlled accountsthat are on the presented listof trustedfriendsand use POST-DATA manipulation (defeat Facebook's shortenof listitems). ( works 100% ) Tryto sendallcodesto himself(evil idea). ( Doesn't work)
  • 55. POST-DATA MANIPULATION lsd=AVo8FV8K&profileChooserItems ={"511543064":1}& checkableitems[] =511543064 511543064ismy Facebooknumeric ID.
  • 56. HOW TO GET THE FACEBOOK'S USER ID? Facebook'suser numeric ID isnot public information mostofthe time and it isnot part of URL all thetime!
  • 57. https://developers.facebook.com/tools/explorer/? method=GET& ?fields=id,name ANSWER: GRAPH API EXPLORER BY FACEBOOK path=VICTIM-USERNAME
  • 58. URL lookslike: EVIL IDEA https://www.facebook.com/guardian/confirm.php? guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064 &cuid=AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm- 0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW- ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv- MpzCcAQT2jxLtEa25YGlg_qg&cp=testpurposexss@gmail.com
  • 59. EVIL IDEA DOESN'T WORK Facebookcorrectly says:
  • 60. INTERESTING MESSAGE FROM FACEBOOK
  • 61. WHAT DOES IT MEAN? Ithink it means thatif an attacker selecthimself or any particular account3 to 5times for different victimsthenFacebook's block access to particular account!
  • 62. URL MANIPULATION'S RESULT! I.E., FACEBOOK'S EMAIL WITH NO FRIENDS' NAMES
  • 63. CHAIN TRUSTED FRIENDS ATTACK (CTFA) InCTFA, attacker can make a chainof compromisedaccounts and with thehelpofchain he may compromisedaccount(s)that are evennotinhisfriends list.
  • 64. FACEBOOK'S DEFAULT & FIXED SECURITY QUESTIONS SET
  • 65. FACEBOOK'S SECURITY QUESTIONS SCREEN- SHOT!
  • 66. EXCERTS FROM "MIND READER" VIDEO https://www.youtube.com/watch?v=F7pYHN9iC9I
  • 67. HOW TO GET THE ANSWERS OF THESE QUESTIONS?
  • 68. ACCORDING TO "ME" Followingways worklike charm: -- Incase ofsocial network, answer can be foundonpublic profile. -- Directly ask the answer viaroutine Facebook chat...most of the time you will getthe answer. -- Make aQUIZ related to securityquestion and postto yourfriends. -- In case of family membersorclose friends,youalready know the answer.
  • 69. Question: Remark: ANOTHER BAD SECURITY PRACTICE https://www.facebook.com/help/163063243756483 Whathappens ifa userrealize after answering/settingthequestion thathehaschosena weak answer? In caseof compromisedaccounts,if attacker has proceeded via answering the securityquestion,hecandothe samething sometime after because "QnA"remains same.
  • 70. INCONSISTENCY IN SECURITY QUESTIONS' USER INTERFACE
  • 71. WHAT IS YOUR REACTION IF YOU HAVE TO GIVE AN ANSWER TO A SECURITY QUESTION(S) THAT IS NOT EVEN A PART OF FACEBOOK'S DEFAULT SECURITY QUESTIONS' LIST?
  • 72. MY REACTION :-)
  • 73. SECURITY QUESTION # 1
  • 74. SECURITY QUESTION # 2
  • 75. https://www.facebook.com/ HOW CAN A LEGITIMATE USER GIVE AN ANSWER TO A SECURITY QUESTION THAT HE HAS NEVER SET? No Way ...BUT I know theanswer that workssometimes :-) https://www.facebook.com/ashar.javed(ajaved) mscashar.javed (mjaved)
  • 76. EMPIRICAL STUDY Testedreal250 accountsofmy friendsonFacebook. In 181 cases, Facebookdoesn'tallow us to proceed ...It means no securityquestion exposed + nooptionoftrustedfriends In69cases,Facebook allows ustoPROVIDEa NEWEMAIL ADDRESSandonce provided, wecanhave either security questionexposedor trusted friends featureappearsor BOTH
  • 77. If asanattacker, we click on" " 181 CASES WE GOT ... I Cannot AccessMyEmail
  • 78. 181 CASES (NO EMAIL ACCESS ... WE ARE SORRY) https://www.facebook.com/recover/extended/ineligible
  • 79. IN 69 CASES Facebookexposed the selectedsecurity questionofthevictim OR OptionofTrusted friends' selection OR Choiceamong above two options
  • 80. 11 OUT OF 69 ACCOUNTS COMPROMISED Out of 11 compromised accounts 8 byansweringsecurity question AND 3 usingtrusted friends feature ENOUGHFORPOC! #ofcompromised accountscanbe easily raisedto20-25 but requiresmore work& motivation :-)
  • 81. SOME INTERESTING OBSERVATIONS
  • 82. ON FACEBOOK ANYBODY CAN SEND ANYONE A PASSWORD RESET REQUEST IF HE KNOWS THE USERNAME WHICH IS PUBLIC INFORMATION
  • 83. Attacker doesn't haveaccesstovictim's emailbox inorder to get thevalid 6 digitcode but he has the above dialog box in frontof him ... AT THE SAME TIME DENIAL-OF-SERVICE (DOS) VICTIM What ifattacker will enter 20-30 times wrongsecretcode?
  • 84. " "will benastyexperiencefor thevictim! We callthis " " HERE YOU GO: Tryagain later Password Reset DoS
  • 85. In this way,attacker canforce victim to use emailaddress or phone andifvictim haslost his emailaddress .... IDENTIFY ACCOUNT ANOTHER WAY
  • 86. WORST THING
  • 87. MY FRIEND'S REACTION ON WORST THING
  • 88. ANOTHER TYPE OF DOS ON FACEBOOK
  • 89. TRUSTED FRIEND FEATURE DOS If an attacker hasstarted the passwordrecovery usingTFandat thesame timevictim tries to use thisfeature...hewill receive the followingmessage from Facebook
  • 90. FACEBOOK'S SECURITY MEASURES & HOW LEGITIMATE USERS REACT & THEIR BYPASSES
  • 91. THIS IS HOW COMMON USERS USE FACEBOOK...
  • 92. 1) SECURITY ALERT VIA EMAIL OR MOBILE SMS As soonasattacker starts an account recoveryvia"password reset" functionality,Facebook immediatelysends an emailor sms alert tothe legitimate user.
  • 93. USERS' REACTION ON THIS EMAIL OR SMS
  • 94. USERS' REACTION ON THIS EMAIL OR SMS
  • 95. In order torecognize device,Facebook uses etc. Whathappensifattacker clicks on " "button? 2) TEMPORARILY LOCKED OS,IP Address, Browser &Estimated Location Continue
  • 96. WHAT HAPPENS IF AN ATTACKER CLICKS ON " CONTINUE " BUTTON?
  • 97. (1)
  • 98. Click" "after selecting one of the option butremember whoisdoing selection? (2) Continue An ATTACKER
  • 99. (3)
  • 100. (4)
  • 101. (5)
  • 102. (6)
  • 103. (7)
  • 104. (8)
  • 105. ANOTHER INTERESTING ASPECT IN CASE IF LEGITIMATE USER WILL BE ABLE TO REGAIN ACCESS TO HIS ACCOUNT
  • 106. REMEMBER (5TH STEP) I.E.,
  • 107. SNAPSHOT OF ATTACKER'S EMAIL BOX
  • 108. RECOGNIZED DEVICES
  • 109. 3) 24 HOUR LOCKED-OUT PERIOD As an attacker this isthe biggest hurdle to cross...
  • 110. DISAVOW PROCESS Legitimate user can"disavow"theprocess any timeby clicking on the linkintheemailhe receivedfrom Facebookor making Facebook activityduringthis time. BUT Majorityoftheusers,as shown in users' reaction consider Facebook'sinformative/warning emails as spam.
  • 111. FOR A MOMENT FORGOT DISAVOW
  • 112. 24 HOUR LOCKED OUT PERIOD STARTS LIKE THAT ...
  • 113. 24 HOUR LOCKED OUT PERIOD ...
  • 114. 24 HOUR LOCKED OUT PERIOD ...
  • 115. 24 HOUR LOCKED OUT PERIOD ...
  • 116. GAME OVER FOR VICTIM...
  • 117. HERE WE GO...
  • 118. ANOTHER EMAIL FROM FACEBOOK AND LEAKED EMAIL ADDRESS OF THE VICTIM
  • 119. ETHICAL CONSIDERATIONS FirstReported toFacebook on19-08-2012 On 23-08-2012, Igotthefollowinganswer from Facebook SecurityTeam:
  • 120. TWO QUESTIONS CAME TO MY MIND AFTER READING THE EMAIL... Isthere any attack thatisnotvery welltargeted? Where issocialengineering in this attack?
  • 121. ON 24-08-2012
  • 122. BUT I HAVE WAITED UNTIL THE COMPLETE EMPIRICAL STUDY & AGAIN SENT THE TECHNICAL REPORT/RESEARCH PAPER ON 27-06-2013
  • 123. ANSWER FROM SECURITY TEAM ON 09-09- 2013
  • 124. SORRY FACEBOOK :-( It doesn't makes sensetoreproduce thisattackonTEST ACCOUNTS... The results wouldlook likeFAKE.
  • 125. ON THE OTHER HAND ... Our approach issimilar toa recently publishedacademic paper in Second International Workshopon PrivacyandSecurity in Online Social Media Co-located withWWW2013 ( ) http://precog.iiitd.edu.in/events/psosm2013/9psosm3s- parwani.pdf
  • 126. FINALLY All compromisedaccounts are up,runningandunder thecontrol of their legitimateusers!
  • 127. YET ANOTHER OBSERVATION I.E., MASKED EMAIL ADDRESS AND PHONE #
  • 128. WHERE IS MASKING? EMAIL ADDRESS EXPOSED
  • 129. AFTER 5-10 MINUTES MASKING AFFECT APPEARS
  • 130. WHAT ABOUT OTHER 49 SOCIAL NETWORKS' PASSWORD RESET FUNCTIONALITY?
  • 131. 200 millionactive users (Feb2013) +Alexa Rank#11 ( ) TWITTER (HTTPS://TWITTER.COM/? LANG=EN) http://en.wikipedia.org/wiki/Twitter
  • 132. ANYBODY CAN SEND ANYBODY A PASSWORD RESET REQUEST WITH THE HELP OF TWITTER'S USERNAME WHICH IS PUBLIC INFORMATION :-(
  • 133. JUST FOR FUN ...
  • 134. I REPORTED THIS TO TWITTER SECURITY TEAM & THIS IS WHAT THEY THINK ABOUT IT
  • 135. BUT NOW TWITTER HAS ...
  • 136. MAT HONAN'S STORY http://www.wired.com/gadgetlab/2012/08/apple-amazon- mat-honan-hacking/all/
  • 137. SUPPORT TEAMS
  • 138. SUPPORT TEAM'S JOB To helpcustomers...
  • 139. CAN ALSO BE USED TO COMPROMISE ACCOUNTS :-)
  • 140. OUR METHODOLOGY BY KEEPING IN MIND THREAT MODEL Registeredthe followingemailaddressonsocialnetworks: user1@bletgen.net AND The followingistheattacker'saddress and goalis to compromise the victim'saccountlabelled withabove email address jim@mediaob.de Attacker's addressis noteven registered onsocialnetworks!
  • 141. ACADEMIA ( )HTTP://WWW.ACADEMIA.EDU/
  • 142. OUR EMAIL TO ACADEMIA
  • 143. INITIAL RESPONSE FROM ACADEMIA
  • 144. FINAL RESPONSE OF ACADEMIA SUPPORT TEAM
  • 145. FREIZEITFREUNDE (A GERMAN-SPECIFIC SOCIAL NETWORKING SITE) ( )HTTP://WWW.FREIZEITFREUNDE.DE/
  • 146. OUR EMAIL TO THEM ...
  • 147. FREIZEITFREUNDE'S SUPPORT TEAM RESPONSE
  • 148. LOKALISTEN (A GERMAN SOCIAL NETWORKING SITE ) ( )HTTP://WWW.LOKALISTEN.DE/
  • 149. INITIAL RESPONSE ON OUR TICKET
  • 150. OUR RESPONSE WITHOUT ""DATE OF BIRTH""
  • 151. LOKALISTEN'S SUPPORT TEAM FINAL RESPONSE
  • 152. MEETUP ( )HTTP://WWW.MEETUP.COM/FIND/
  • 153. SUPPORT TEAM BLOCKS ACCOUNT :)
  • 154. GETGLUE (SOCIAL NETWORKS FOR TV FANS) HTTP://GETGLUE.COM/FEED
  • 155. OUR EMAIL TO THEIR SUPPORT TEAM
  • 156. GETGLUE'S SUPPORT TEAM RESPONSE They set thenew password for us i.e.,"temp " :)
  • 157. DELICIOUS ( )HTTPS://DELICIOUS.COM/
  • 158. DELICIOUS'S SUPPORT TEAM RESPONSE They have switchedthe emailaddress from victims'toan attacker controlled email address and havesent passwordreset linkto the attacker'semail address.
  • 159. FACEBOOK AS SSO Outof50surveyed social networks,wefound 26 use Facebook aslogin-provider (SSO) 24 don'thave this feature
  • 160. IMPLICATIONS OF FACEBOOK CONNECT (1 MILLION WEBSITES HAVE INTEGRATED WITH FACEBOOK)*+ ACCOUNT HACK Controls emailaccounte.g.,Yahoo Go for shoppinge.g.,Etsy Create havoc for victim :) 79%ofsocialmedia log insby online retailers are with Facebook ( ) 60 millionusers of FacebookConnectin2009 accordingto TechCrunchreport( ) http://socialmediatoday.com/node/1656466 http://goo.gl/a6lsCx *http://goo.gl/x8BKe
  • 161. HAVOC EXAMPLES http://goo.gl/2FVTz8 http://goo.gl/uuO7Kq
  • 162. GUIDELINES FOR USERS Do not ignore email or SMS alertfrom Facebook Do not place TOO MUCHinformation onsocialnetwork Do not accept friend requestsfrom strangers Enable log-in notifications
  • 163. GUIDELINES FOR SOCIAL NETWORKS Train your supportteams. Facebook should raisethe bar as far ascommunicationwith theresearchersor bugsubmitters isconcerned. For Facebook: Please don't send TOOMANYEMAILSbecause users startbelievingthat thesearespam emails. Joewrote in his post( ): In caseofTFA,Facebook failed in "CORRECTLY IDENTIFYINGandREALIZATION OFAN INFORMATION FLOWPROBLEM " http://goo.gl/Wf6QMZ
  • 164. FOR FACEBOOK
  • 165. I HOPE NOW FACEBOOK SECURITY TEAM'S REACTION
  • 166. THANKS!