TRUSTED FRIENDS FEATURE
Introduced in October 2011
"It'ssort ofsimilar to givinga house key to yourfriendswhen
you go onvacation--pick the friends youmost trustincaseyou
TRUSTED FRIENDS ACCORDING TO
"" Who Wants ToBeA Millionaire" lifelineconcept- except it's
not a one-timedeal."
FACEBOOK FRIEND VS REAL LIFE FRIEND
A SHORT FUN STUDY
Created3 FAKEACCOUNTS andsend Friendship requeststo
TWENTY ( 20 ) friends of mine on Facebook.
After some time, 8 friendshave acceptedall3 requests
DATA SCIENCE OF THE FACEBOOK WORLD
On average aFacebook user has 342 friends!
DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR
JUST FACEBOOK FRIENDS OR WHAT ...?
SUMMARIZE EVERYTHING ABOUT FACEBOOK
& REAL LIFE FRIENDS
TRUSTED FRIEND ATTACK (TFA)
Inorder to startTFA, we needvictim's Facebookusername and
FYI, it is PUBLIC INFORMATION & part of FacebookURL.
ONCE TARGET SELECTED
Repeatthe "Forgot YourPassword" processas mentioned
before until STEP (3) i.e.,
No longer haveaccesstothese?
NO LONGER HAVE ACCESS TO THESE?
sometimes opensthefollowingdialog box(old &new version) :)
Inorder to findtheanswer of" sometimes ",I didan empirical
How canFacebook bindthis new emailaddress or phone
number tothe legitimate user's address or phone?
How can Facebookdifferentiatebetweenanaccountrecovery
procedurestarted bya legitimateuser and the one startedby an
Is it evenpossible?
CREATE NEW EMAIL ADDRESS AND ENTER IN
THE PREVIOUS DIALOG BOX & HERE YOU
WhyisFacebook exposingtheoneselected PRIVATE
SECURITY QUESTION in front ofthe ATTACKER?
Facebook is providinganoptiontotheattacker thathe canselect
from two routes i.e.,
1. Answer SecurityQuestion
2. Choose Three Friends of Attacker's Choice
1. Involveoneattacker i.e., the casewhere attacker will answer
2. Involvethree friendsi.e., the casewhere attacker chooses three
Do selection offriends in anormalmanner evenwithout
POST-DATA manipulation ( works 100%)
Tryto sendcodes to hiscontrolledaccounts thatarenot on
victim's friendlist.( Doesn't work)
Tryto sendcodes to an attacker's controlled accountsthat are
on victim'sfriendlist but not in the presented listsoftrusted
friends. (works 50% )
Tryto sendcodes to an attacker's controlled accountsthat are
on the presented listof trustedfriendsand use POST-DATA
manipulation (defeat Facebook's shortenof listitems). ( works
Tryto sendallcodesto himself(evil idea). ( Doesn't work)
ACCORDING TO "ME"
Followingways worklike charm:
-- Incase ofsocial network, answer can be foundonpublic profile.
-- Directly ask the answer viaroutine Facebook chat...most of the
time you will getthe answer.
-- Make aQUIZ related to securityquestion and postto yourfriends.
-- In case of family membersorclose friends,youalready know the
ANOTHER BAD SECURITY PRACTICE
Whathappens ifa userrealize after
answering/settingthequestion thathehaschosena weak
In caseof compromisedaccounts,if attacker has
proceeded via answering the securityquestion,hecandothe
samething sometime after because "QnA"remains same.
INCONSISTENCY IN SECURITY QUESTIONS'
WHAT IS YOUR REACTION IF YOU HAVE TO
GIVE AN ANSWER TO A SECURITY
QUESTION(S) THAT IS NOT EVEN A PART OF
FACEBOOK'S DEFAULT SECURITY QUESTIONS'
HOW CAN A LEGITIMATE USER GIVE AN
ANSWER TO A SECURITY QUESTION THAT HE
HAS NEVER SET?
No Way ...BUT
I know theanswer that workssometimes :-)
Testedreal250 accountsofmy friendsonFacebook.
In 181 cases, Facebookdoesn'tallow us to proceed ...It means no
securityquestion exposed + nooptionoftrustedfriends
In69cases,Facebook allows ustoPROVIDEa NEWEMAIL
ADDRESSandonce provided, wecanhave either security
questionexposedor trusted friends featureappearsor BOTH
If asanattacker, we click on" "
181 CASES WE GOT ...
I Cannot AccessMyEmail
181 CASES (NO EMAIL ACCESS ... WE ARE
IN 69 CASES
Facebookexposed the selectedsecurity questionofthevictim
OptionofTrusted friends' selection
Choiceamong above two options
11 OUT OF 69 ACCOUNTS COMPROMISED
Out of 11 compromised accounts
8 byansweringsecurity question
3 usingtrusted friends feature
ENOUGHFORPOC! #ofcompromised accountscanbe easily
raisedto20-25 but requiresmore work& motivation :-)
ON FACEBOOK ANYBODY CAN SEND ANYONE A
PASSWORD RESET REQUEST IF HE KNOWS
THE USERNAME WHICH IS PUBLIC
Attacker doesn't haveaccesstovictim's emailbox inorder to get
thevalid 6 digitcode but he has the above dialog box in frontof
AT THE SAME TIME DENIAL-OF-SERVICE
What ifattacker will enter 20-30 times wrongsecretcode?
" "will benastyexperiencefor thevictim!
We callthis " "
HERE YOU GO:
Password Reset DoS
In this way,attacker canforce victim to use emailaddress or
phone andifvictim haslost his emailaddress ....
IDENTIFY ACCOUNT ANOTHER WAY
3) 24 HOUR LOCKED-OUT PERIOD
As an attacker this isthe biggest hurdle to cross...
Legitimate user can"disavow"theprocess any timeby clicking
on the linkintheemailhe receivedfrom Facebookor making
Facebook activityduringthis time.
Majorityoftheusers,as shown in users' reaction consider
Facebook'sinformative/warning emails as spam.
SORRY FACEBOOK :-(
It doesn't makes sensetoreproduce thisattackonTEST
The results wouldlook likeFAKE.
ON THE OTHER HAND ...
Our approach issimilar toa recently publishedacademic paper in
Second International Workshopon PrivacyandSecurity in
Online Social Media
All compromisedaccounts are up,runningandunder thecontrol
of their legitimateusers!
YET ANOTHER OBSERVATION I.E., MASKED
EMAIL ADDRESS AND PHONE #
OUR METHODOLOGY BY KEEPING IN MIND
The followingistheattacker'saddress and goalis to compromise
the victim'saccountlabelled withabove email address
Attacker's addressis noteven registered onsocialnetworks!
DELICIOUS'S SUPPORT TEAM RESPONSE
They have switchedthe emailaddress from victims'toan
attacker controlled email address and havesent passwordreset
linkto the attacker'semail address.
FACEBOOK AS SSO
Outof50surveyed social networks,wefound
26 use Facebook aslogin-provider (SSO)
24 don'thave this feature
IMPLICATIONS OF FACEBOOK CONNECT
(1 MILLION WEBSITES HAVE INTEGRATED
WITH FACEBOOK)*+ ACCOUNT HACK
Go for shoppinge.g.,Etsy
Create havoc for victim :)
79%ofsocialmedia log insby online retailers are with
Facebook ( )
60 millionusers of FacebookConnectin2009 accordingto
GUIDELINES FOR USERS
Do not ignore email or SMS alertfrom Facebook
Do not place TOO MUCHinformation onsocialnetwork
Do not accept friend requestsfrom strangers
Enable log-in notifications
GUIDELINES FOR SOCIAL NETWORKS
Train your supportteams.
Facebook should raisethe bar as far ascommunicationwith
theresearchersor bugsubmitters isconcerned.
For Facebook: Please don't send TOOMANYEMAILSbecause
users startbelievingthat thesearespam emails.
Joewrote in his post( ):
In caseofTFA,Facebook failed in "CORRECTLY
IDENTIFYINGandREALIZATION OFAN INFORMATION