Trusted Friend Attack: Guardian Angels Strike

1,947 views
1,819 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,947
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Trusted Friend Attack: Guardian Angels Strike

  1. 1. TRUSTED FRIEND ATTACK: GUARDIAN ANGELS STRIKE Atalk byAshar Javed @ HackIn The Box,14- 17 October 2013 Kuala Lumpur,Malaysia (HITBSecConf2013)
  2. 2. GRAPH IS BIG http://theweek.com/article/index/239514/4-things-we- learned-from-facebooks-confounding-earnings-report
  3. 3. WHO AM I?
  4. 4. A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB , GERMANY A STUDENT WORKING TOWARDS HIS PHD LISTED IN ALMOST EVERY HALL OF FAME PAGES @soaj1664ashar
  5. 5. SOME OF YOU WILL WISH FOR THIS FEATURE ...
  6. 6. A SHORT STORY https://twitter.com/dimitribest/status/230677638358900736
  7. 7. A PASTE@PASTEBIN http://pastebin.com/ajaYnLYc
  8. 8. WHO TO BLAME? http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html
  9. 9. AFTER TESTING 3 TO 4 RANDOM ACCOUNTS FROM THE PASTEBIN'S PASTE I FOUND
  10. 10. AN INNOCENT QUESTION ... WhyisFacebook asking onsomebody's account? This is me This isn't me & What would beyour answer, if you arean attacker :-)
  11. 11. LEGITIMATE PASSWORD RECOVERY FLOW You haveanemail addressbutFORGOTYOUR PASSWORD
  12. 12. STEP (1) Go To https://www.facebook.com/ Click "Forgot YourPassword?"
  13. 13. Provideemail address andclick on "Search"button! STEP (2) Enter Your Email,Phone,Username or Full Name https://www.facebook.com/login/identify?ctx=recover
  14. 14. STEP (3) Choose your "Password Reset Method" & click"Continue"
  15. 15. STEP (4) A Receivedpassword secret codeviaemail
  16. 16. Enter code thatyou have receivedinemail & click"Continue" STEP (4) B Entry-Point for the SECRET CODERECEIVED:
  17. 17. STEP (5) Set "New Password"
  18. 18. STEP (6) WelcometoFacebook, MSc.Ashar
  19. 19. INFORMATIVE EMAIL FROM FACEBOOK
  20. 20. WHAT IF YOU LOST OR FORGOT BOTH EMAIL ADDRESS + PASSWORD
  21. 21. FACEBOOK HAD A SOLUTION NAMED TRUSTED FRIENDS (TF)
  22. 22. ""TF IS BASED ON SOCIAL AUTHENTICATION"" & "BringingSocialtoSecurity "isGOOD BUT ...
  23. 23. http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf
  24. 24. TRUSTED FRIENDS FEATURE Introduced in October 2011 ( ) https://www.facebook.com/notes/facebook- security/national-cybersecurity-awareness-month- updates/10150335022240766
  25. 25. TRUSTED FRIENDS "It'ssort ofsimilar to givinga house key to yourfriendswhen you go onvacation--pick the friends youmost trustincaseyou need theirhelp" https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness- month-updates/10150335022240766
  26. 26. TRUSTED FRIENDS ACCORDING TO READWRITE: "" Who Wants ToBeA Millionaire" lifelineconcept- except it's not a one-timedeal." http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTq
  27. 27. GUARDIAN ANGELS http://sophosnews.files.wordpress.com/2011/10/facebook- security-infographic.pdf
  28. 28. HOW TRUSTED FRIENDS FEATURE WORKS?
  29. 29. LIST # 1
  30. 30. LIST # 2
  31. 31. LIST # 3
  32. 32. REVIEW FRIENDS
  33. 33. ENTER CODES & GAIN ACCESS TO YOUR ACCOUNT
  34. 34. SCREEN-SHOT OF FAKE PROFILE
  35. 35. 4 DIGIT CODE
  36. 36. ANOTHER INFORMATIVE EMAIL TO LEGITIMATE USER FROM FACEBOOK
  37. 37. 600,000+ COMPROMISED ACCOUNT LOGINS EVERY DAY ON FACEBOOK, OFFICIAL FIGURES REVEAL ( )HTTP://GOO.GL/FNP27Q by https://twitter.com/gcluley
  38. 38. @GCLULEY NOTED IN HIS POST HTTP://GOO.GL/FNP27Q
  39. 39. QUESTION YOU MIGHT THINKING ...
  40. 40. THREAT MODEL Attacker isonvictim's friends'list &cancreatenew email address(es) thatare requiredfor compromising accounts. Attacker can onlyleverage "forgot yourpassword"functionality inorder to compromise accountsand atthe same timewedon't consider "compromisingofanemail accountsoflegitimate user(s)"
  41. 41. EMAIL ADDRESS MUST BE NEW FOR EVERY TARGET
  42. 42. FACEBOOK FRIEND VS REAL LIFE FRIEND http://blogs.mcafee.com/consumer/fake-friends
  43. 43. A SHORT FUN STUDY Created3 FAKEACCOUNTS andsend Friendship requeststo TWENTY ( 20 ) friends of mine on Facebook. After some time, 8 friendshave acceptedall3 requests
  44. 44. DATA SCIENCE OF THE FACEBOOK WORLD On average aFacebook user has 342 friends! DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR JUST FACEBOOK FRIENDS OR WHAT ...? http://blog.stephenwolfram.com/2013/04/data-science-of-the- facebook-world/
  45. 45. SUMMARIZE EVERYTHING ABOUT FACEBOOK & REAL LIFE FRIENDS http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/
  46. 46. TRUSTED FRIEND ATTACK (TFA) Inorder to startTFA, we needvictim's Facebookusername and FYI, it is PUBLIC INFORMATION & part of FacebookURL. e.g., https://www.facebook.com/ashar.javed
  47. 47. " " ONCE TARGET SELECTED Repeatthe "Forgot YourPassword" processas mentioned before until STEP (3) i.e., No longer haveaccesstothese?
  48. 48. NO LONGER HAVE ACCESS TO THESE? sometimes opensthefollowingdialog box(old &new version) :) HOWAWESOMETHEY ARE?:-) https://www.facebook.com/recover/extended Inorder to findtheanswer of" sometimes ",I didan empirical study (discusslater).
  49. 49. QUESTIONS... How canFacebook bindthis new emailaddress or phone number tothe legitimate user's address or phone? How can Facebookdifferentiatebetweenanaccountrecovery procedurestarted bya legitimateuser and the one startedby an attacker? Is it evenpossible? Ithink NO!
  50. 50. CREATE NEW EMAIL ADDRESS AND ENTER IN THE PREVIOUS DIALOG BOX & HERE YOU HAVE:
  51. 51. QUESTION WhyisFacebook exposingtheoneselected PRIVATE SECURITY QUESTION in front ofthe ATTACKER? Facebook is providinganoptiontotheattacker thathe canselect from two routes i.e., 1. Answer SecurityQuestion 2. Choose Three Friends of Attacker's Choice
  52. 52. TFA'S VARIATIONS/FORMS 1. Involveoneattacker i.e., the casewhere attacker will answer theexposedsecurity question 2. Involvethree friendsi.e., the casewhere attacker chooses three friendsofhischoice
  53. 53. ATTACKER CHOOSES TRUSTED FRIENDS PATH
  54. 54. ATTACKER'S CHOICES Do selection offriends in anormalmanner evenwithout POST-DATA manipulation ( works 100%) Tryto sendcodes to hiscontrolledaccounts thatarenot on victim's friendlist.( Doesn't work) Tryto sendcodes to an attacker's controlled accountsthat are on victim'sfriendlist but not in the presented listsoftrusted friends. (works 50% ) Tryto sendcodes to an attacker's controlled accountsthat are on the presented listof trustedfriendsand use POST-DATA manipulation (defeat Facebook's shortenof listitems). ( works 100% ) Tryto sendallcodesto himself(evil idea). ( Doesn't work)
  55. 55. POST-DATA MANIPULATION lsd=AVo8FV8K&profileChooserItems ={"511543064":1}& checkableitems[] =511543064 511543064ismy Facebooknumeric ID.
  56. 56. HOW TO GET THE FACEBOOK'S USER ID? Facebook'suser numeric ID isnot public information mostofthe time and it isnot part of URL all thetime!
  57. 57. https://developers.facebook.com/tools/explorer/? method=GET& ?fields=id,name ANSWER: GRAPH API EXPLORER BY FACEBOOK path=VICTIM-USERNAME
  58. 58. URL lookslike: EVIL IDEA https://www.facebook.com/guardian/confirm.php? guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064 &cuid=AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm- 0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW- ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv- MpzCcAQT2jxLtEa25YGlg_qg&cp=testpurposexss@gmail.com
  59. 59. EVIL IDEA DOESN'T WORK Facebookcorrectly says:
  60. 60. INTERESTING MESSAGE FROM FACEBOOK
  61. 61. WHAT DOES IT MEAN? Ithink it means thatif an attacker selecthimself or any particular account3 to 5times for different victimsthenFacebook's block access to particular account!
  62. 62. URL MANIPULATION'S RESULT! I.E., FACEBOOK'S EMAIL WITH NO FRIENDS' NAMES
  63. 63. CHAIN TRUSTED FRIENDS ATTACK (CTFA) InCTFA, attacker can make a chainof compromisedaccounts and with thehelpofchain he may compromisedaccount(s)that are evennotinhisfriends list.
  64. 64. FACEBOOK'S DEFAULT & FIXED SECURITY QUESTIONS SET
  65. 65. FACEBOOK'S SECURITY QUESTIONS SCREEN- SHOT!
  66. 66. EXCERTS FROM "MIND READER" VIDEO https://www.youtube.com/watch?v=F7pYHN9iC9I
  67. 67. HOW TO GET THE ANSWERS OF THESE QUESTIONS?
  68. 68. ACCORDING TO "ME" Followingways worklike charm: -- Incase ofsocial network, answer can be foundonpublic profile. -- Directly ask the answer viaroutine Facebook chat...most of the time you will getthe answer. -- Make aQUIZ related to securityquestion and postto yourfriends. -- In case of family membersorclose friends,youalready know the answer.
  69. 69. Question: Remark: ANOTHER BAD SECURITY PRACTICE https://www.facebook.com/help/163063243756483 Whathappens ifa userrealize after answering/settingthequestion thathehaschosena weak answer? In caseof compromisedaccounts,if attacker has proceeded via answering the securityquestion,hecandothe samething sometime after because "QnA"remains same.
  70. 70. INCONSISTENCY IN SECURITY QUESTIONS' USER INTERFACE
  71. 71. WHAT IS YOUR REACTION IF YOU HAVE TO GIVE AN ANSWER TO A SECURITY QUESTION(S) THAT IS NOT EVEN A PART OF FACEBOOK'S DEFAULT SECURITY QUESTIONS' LIST?
  72. 72. MY REACTION :-)
  73. 73. SECURITY QUESTION # 1
  74. 74. SECURITY QUESTION # 2
  75. 75. https://www.facebook.com/ HOW CAN A LEGITIMATE USER GIVE AN ANSWER TO A SECURITY QUESTION THAT HE HAS NEVER SET? No Way ...BUT I know theanswer that workssometimes :-) https://www.facebook.com/ashar.javed(ajaved) mscashar.javed (mjaved)
  76. 76. EMPIRICAL STUDY Testedreal250 accountsofmy friendsonFacebook. In 181 cases, Facebookdoesn'tallow us to proceed ...It means no securityquestion exposed + nooptionoftrustedfriends In69cases,Facebook allows ustoPROVIDEa NEWEMAIL ADDRESSandonce provided, wecanhave either security questionexposedor trusted friends featureappearsor BOTH
  77. 77. If asanattacker, we click on" " 181 CASES WE GOT ... I Cannot AccessMyEmail
  78. 78. 181 CASES (NO EMAIL ACCESS ... WE ARE SORRY) https://www.facebook.com/recover/extended/ineligible
  79. 79. IN 69 CASES Facebookexposed the selectedsecurity questionofthevictim OR OptionofTrusted friends' selection OR Choiceamong above two options
  80. 80. 11 OUT OF 69 ACCOUNTS COMPROMISED Out of 11 compromised accounts 8 byansweringsecurity question AND 3 usingtrusted friends feature ENOUGHFORPOC! #ofcompromised accountscanbe easily raisedto20-25 but requiresmore work& motivation :-)
  81. 81. SOME INTERESTING OBSERVATIONS
  82. 82. ON FACEBOOK ANYBODY CAN SEND ANYONE A PASSWORD RESET REQUEST IF HE KNOWS THE USERNAME WHICH IS PUBLIC INFORMATION
  83. 83. Attacker doesn't haveaccesstovictim's emailbox inorder to get thevalid 6 digitcode but he has the above dialog box in frontof him ... AT THE SAME TIME DENIAL-OF-SERVICE (DOS) VICTIM What ifattacker will enter 20-30 times wrongsecretcode?
  84. 84. " "will benastyexperiencefor thevictim! We callthis " " HERE YOU GO: Tryagain later Password Reset DoS
  85. 85. In this way,attacker canforce victim to use emailaddress or phone andifvictim haslost his emailaddress .... IDENTIFY ACCOUNT ANOTHER WAY
  86. 86. WORST THING
  87. 87. MY FRIEND'S REACTION ON WORST THING
  88. 88. ANOTHER TYPE OF DOS ON FACEBOOK
  89. 89. TRUSTED FRIEND FEATURE DOS If an attacker hasstarted the passwordrecovery usingTFandat thesame timevictim tries to use thisfeature...hewill receive the followingmessage from Facebook
  90. 90. FACEBOOK'S SECURITY MEASURES & HOW LEGITIMATE USERS REACT & THEIR BYPASSES
  91. 91. THIS IS HOW COMMON USERS USE FACEBOOK...
  92. 92. 1) SECURITY ALERT VIA EMAIL OR MOBILE SMS As soonasattacker starts an account recoveryvia"password reset" functionality,Facebook immediatelysends an emailor sms alert tothe legitimate user.
  93. 93. USERS' REACTION ON THIS EMAIL OR SMS
  94. 94. USERS' REACTION ON THIS EMAIL OR SMS
  95. 95. In order torecognize device,Facebook uses etc. Whathappensifattacker clicks on " "button? 2) TEMPORARILY LOCKED OS,IP Address, Browser &Estimated Location Continue
  96. 96. WHAT HAPPENS IF AN ATTACKER CLICKS ON " CONTINUE " BUTTON?
  97. 97. (1)
  98. 98. Click" "after selecting one of the option butremember whoisdoing selection? (2) Continue An ATTACKER
  99. 99. (3)
  100. 100. (4)
  101. 101. (5)
  102. 102. (6)
  103. 103. (7)
  104. 104. (8)
  105. 105. ANOTHER INTERESTING ASPECT IN CASE IF LEGITIMATE USER WILL BE ABLE TO REGAIN ACCESS TO HIS ACCOUNT
  106. 106. REMEMBER (5TH STEP) I.E.,
  107. 107. SNAPSHOT OF ATTACKER'S EMAIL BOX
  108. 108. RECOGNIZED DEVICES
  109. 109. 3) 24 HOUR LOCKED-OUT PERIOD As an attacker this isthe biggest hurdle to cross...
  110. 110. DISAVOW PROCESS Legitimate user can"disavow"theprocess any timeby clicking on the linkintheemailhe receivedfrom Facebookor making Facebook activityduringthis time. BUT Majorityoftheusers,as shown in users' reaction consider Facebook'sinformative/warning emails as spam.
  111. 111. FOR A MOMENT FORGOT DISAVOW
  112. 112. 24 HOUR LOCKED OUT PERIOD STARTS LIKE THAT ...
  113. 113. 24 HOUR LOCKED OUT PERIOD ...
  114. 114. 24 HOUR LOCKED OUT PERIOD ...
  115. 115. 24 HOUR LOCKED OUT PERIOD ...
  116. 116. GAME OVER FOR VICTIM...
  117. 117. HERE WE GO...
  118. 118. ANOTHER EMAIL FROM FACEBOOK AND LEAKED EMAIL ADDRESS OF THE VICTIM
  119. 119. ETHICAL CONSIDERATIONS FirstReported toFacebook on19-08-2012 On 23-08-2012, Igotthefollowinganswer from Facebook SecurityTeam:
  120. 120. TWO QUESTIONS CAME TO MY MIND AFTER READING THE EMAIL... Isthere any attack thatisnotvery welltargeted? Where issocialengineering in this attack?
  121. 121. ON 24-08-2012
  122. 122. BUT I HAVE WAITED UNTIL THE COMPLETE EMPIRICAL STUDY & AGAIN SENT THE TECHNICAL REPORT/RESEARCH PAPER ON 27-06-2013
  123. 123. ANSWER FROM SECURITY TEAM ON 09-09- 2013
  124. 124. SORRY FACEBOOK :-( It doesn't makes sensetoreproduce thisattackonTEST ACCOUNTS... The results wouldlook likeFAKE.
  125. 125. ON THE OTHER HAND ... Our approach issimilar toa recently publishedacademic paper in Second International Workshopon PrivacyandSecurity in Online Social Media Co-located withWWW2013 ( ) http://precog.iiitd.edu.in/events/psosm2013/9psosm3s- parwani.pdf
  126. 126. FINALLY All compromisedaccounts are up,runningandunder thecontrol of their legitimateusers!
  127. 127. YET ANOTHER OBSERVATION I.E., MASKED EMAIL ADDRESS AND PHONE #
  128. 128. WHERE IS MASKING? EMAIL ADDRESS EXPOSED
  129. 129. AFTER 5-10 MINUTES MASKING AFFECT APPEARS
  130. 130. WHAT ABOUT OTHER 49 SOCIAL NETWORKS' PASSWORD RESET FUNCTIONALITY?
  131. 131. 200 millionactive users (Feb2013) +Alexa Rank#11 ( ) TWITTER (HTTPS://TWITTER.COM/? LANG=EN) http://en.wikipedia.org/wiki/Twitter
  132. 132. ANYBODY CAN SEND ANYBODY A PASSWORD RESET REQUEST WITH THE HELP OF TWITTER'S USERNAME WHICH IS PUBLIC INFORMATION :-(
  133. 133. JUST FOR FUN ...
  134. 134. I REPORTED THIS TO TWITTER SECURITY TEAM & THIS IS WHAT THEY THINK ABOUT IT
  135. 135. BUT NOW TWITTER HAS ...
  136. 136. MAT HONAN'S STORY http://www.wired.com/gadgetlab/2012/08/apple-amazon- mat-honan-hacking/all/
  137. 137. SUPPORT TEAMS
  138. 138. SUPPORT TEAM'S JOB To helpcustomers...
  139. 139. CAN ALSO BE USED TO COMPROMISE ACCOUNTS :-)
  140. 140. OUR METHODOLOGY BY KEEPING IN MIND THREAT MODEL Registeredthe followingemailaddressonsocialnetworks: user1@bletgen.net AND The followingistheattacker'saddress and goalis to compromise the victim'saccountlabelled withabove email address jim@mediaob.de Attacker's addressis noteven registered onsocialnetworks!
  141. 141. ACADEMIA ( )HTTP://WWW.ACADEMIA.EDU/
  142. 142. OUR EMAIL TO ACADEMIA
  143. 143. INITIAL RESPONSE FROM ACADEMIA
  144. 144. FINAL RESPONSE OF ACADEMIA SUPPORT TEAM
  145. 145. FREIZEITFREUNDE (A GERMAN-SPECIFIC SOCIAL NETWORKING SITE) ( )HTTP://WWW.FREIZEITFREUNDE.DE/
  146. 146. OUR EMAIL TO THEM ...
  147. 147. FREIZEITFREUNDE'S SUPPORT TEAM RESPONSE
  148. 148. LOKALISTEN (A GERMAN SOCIAL NETWORKING SITE ) ( )HTTP://WWW.LOKALISTEN.DE/
  149. 149. INITIAL RESPONSE ON OUR TICKET
  150. 150. OUR RESPONSE WITHOUT ""DATE OF BIRTH""
  151. 151. LOKALISTEN'S SUPPORT TEAM FINAL RESPONSE
  152. 152. MEETUP ( )HTTP://WWW.MEETUP.COM/FIND/
  153. 153. SUPPORT TEAM BLOCKS ACCOUNT :)
  154. 154. GETGLUE (SOCIAL NETWORKS FOR TV FANS) HTTP://GETGLUE.COM/FEED
  155. 155. OUR EMAIL TO THEIR SUPPORT TEAM
  156. 156. GETGLUE'S SUPPORT TEAM RESPONSE They set thenew password for us i.e.,"temp " :)
  157. 157. DELICIOUS ( )HTTPS://DELICIOUS.COM/
  158. 158. DELICIOUS'S SUPPORT TEAM RESPONSE They have switchedthe emailaddress from victims'toan attacker controlled email address and havesent passwordreset linkto the attacker'semail address.
  159. 159. FACEBOOK AS SSO Outof50surveyed social networks,wefound 26 use Facebook aslogin-provider (SSO) 24 don'thave this feature
  160. 160. IMPLICATIONS OF FACEBOOK CONNECT (1 MILLION WEBSITES HAVE INTEGRATED WITH FACEBOOK)*+ ACCOUNT HACK Controls emailaccounte.g.,Yahoo Go for shoppinge.g.,Etsy Create havoc for victim :) 79%ofsocialmedia log insby online retailers are with Facebook ( ) 60 millionusers of FacebookConnectin2009 accordingto TechCrunchreport( ) http://socialmediatoday.com/node/1656466 http://goo.gl/a6lsCx *http://goo.gl/x8BKe
  161. 161. HAVOC EXAMPLES http://goo.gl/2FVTz8 http://goo.gl/uuO7Kq
  162. 162. GUIDELINES FOR USERS Do not ignore email or SMS alertfrom Facebook Do not place TOO MUCHinformation onsocialnetwork Do not accept friend requestsfrom strangers Enable log-in notifications
  163. 163. GUIDELINES FOR SOCIAL NETWORKS Train your supportteams. Facebook should raisethe bar as far ascommunicationwith theresearchersor bugsubmitters isconcerned. For Facebook: Please don't send TOOMANYEMAILSbecause users startbelievingthat thesearespam emails. Joewrote in his post( ): In caseofTFA,Facebook failed in "CORRECTLY IDENTIFYINGandREALIZATION OFAN INFORMATION FLOWPROBLEM " http://goo.gl/Wf6QMZ
  164. 164. FOR FACEBOOK
  165. 165. I HOPE NOW FACEBOOK SECURITY TEAM'S REACTION
  166. 166. THANKS!

×