Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
TRUSTED FRIEND
ATTACK:
GUARDIAN ANGELS STRIKE
Atalk byAshar Javed
@
HackIn The Box,14- 17 October 2013
Kuala Lumpur,Malays...
GRAPH IS BIG
http://theweek.com/article/index/239514/4-things-we-
learned-from-facebooks-confounding-earnings-report
WHO AM I?
A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB ,
GERMANY
A STUDENT WORKING TOWARDS HIS PHD
LISTED IN ALMOST EVERY HALL OF...
SOME OF YOU WILL WISH FOR THIS FEATURE
...
A SHORT STORY
https://twitter.com/dimitribest/status/230677638358900736
A PASTE@PASTEBIN
http://pastebin.com/ajaYnLYc
WHO TO BLAME?
http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html
AFTER TESTING 3 TO 4 RANDOM ACCOUNTS
FROM THE PASTEBIN'S PASTE I FOUND
AN INNOCENT QUESTION ...
WhyisFacebook asking onsomebody's account?
This is me
This isn't me
&
What would beyour answer, i...
LEGITIMATE PASSWORD RECOVERY FLOW
You haveanemail addressbutFORGOTYOUR PASSWORD
STEP (1)
Go To https://www.facebook.com/
Click "Forgot YourPassword?"
Provideemail address andclick on "Search"button!
STEP (2)
Enter Your Email,Phone,Username or Full Name
https://www.faceboo...
STEP (3)
Choose your "Password Reset Method" & click"Continue"
STEP (4) A
Receivedpassword secret codeviaemail
Enter code thatyou have receivedinemail & click"Continue"
STEP (4) B
Entry-Point for the SECRET CODERECEIVED:
STEP (5)
Set "New Password"
STEP (6)
WelcometoFacebook, MSc.Ashar
INFORMATIVE EMAIL FROM FACEBOOK
WHAT IF YOU LOST OR FORGOT BOTH
EMAIL ADDRESS
+
PASSWORD
FACEBOOK HAD A SOLUTION NAMED
TRUSTED FRIENDS (TF)
""TF IS BASED ON SOCIAL AUTHENTICATION""
&
"BringingSocialtoSecurity "isGOOD
BUT ...
http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf
TRUSTED FRIENDS FEATURE
Introduced in October 2011
(
)
https://www.facebook.com/notes/facebook-
security/national-cybersec...
TRUSTED FRIENDS
"It'ssort ofsimilar to givinga house key to yourfriendswhen
you go onvacation--pick the friends youmost tr...
TRUSTED FRIENDS ACCORDING TO
READWRITE:
"" Who Wants ToBeA Millionaire" lifelineconcept- except it's
not a one-timedeal."
...
GUARDIAN ANGELS
http://sophosnews.files.wordpress.com/2011/10/facebook-
security-infographic.pdf
HOW TRUSTED FRIENDS FEATURE WORKS?
LIST # 1
LIST # 2
LIST # 3
REVIEW FRIENDS
ENTER CODES & GAIN ACCESS TO YOUR
ACCOUNT
SCREEN-SHOT OF FAKE PROFILE
4 DIGIT CODE
ANOTHER INFORMATIVE EMAIL TO
LEGITIMATE USER FROM FACEBOOK
600,000+ COMPROMISED ACCOUNT LOGINS
EVERY DAY ON FACEBOOK, OFFICIAL FIGURES
REVEAL ( )HTTP://GOO.GL/FNP27Q
by
https://twit...
@GCLULEY NOTED IN HIS POST
HTTP://GOO.GL/FNP27Q
QUESTION YOU MIGHT THINKING ...
THREAT MODEL
Attacker isonvictim's friends'list &cancreatenew email
address(es) thatare requiredfor compromising accounts....
EMAIL ADDRESS MUST BE NEW FOR EVERY
TARGET
FACEBOOK FRIEND VS REAL LIFE FRIEND
http://blogs.mcafee.com/consumer/fake-friends
A SHORT FUN STUDY
Created3 FAKEACCOUNTS andsend Friendship requeststo
TWENTY ( 20 ) friends of mine on Facebook.
After som...
DATA SCIENCE OF THE FACEBOOK WORLD
On average aFacebook user has 342 friends!
DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS A...
SUMMARIZE EVERYTHING ABOUT FACEBOOK
& REAL LIFE FRIENDS
http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-f...
TRUSTED FRIEND ATTACK (TFA)
Inorder to startTFA, we needvictim's Facebookusername and
FYI, it is PUBLIC INFORMATION & part...
" "
ONCE TARGET SELECTED
Repeatthe "Forgot YourPassword" processas mentioned
before until STEP (3) i.e.,
No longer haveacc...
NO LONGER HAVE ACCESS TO THESE?
sometimes opensthefollowingdialog box(old &new version) :)
HOWAWESOMETHEY ARE?:-)
https://...
QUESTIONS...
How canFacebook bindthis new emailaddress or phone
number tothe legitimate user's address or phone?
How can F...
CREATE NEW EMAIL ADDRESS AND ENTER IN
THE PREVIOUS DIALOG BOX & HERE YOU
HAVE:
QUESTION
WhyisFacebook exposingtheoneselected PRIVATE
SECURITY QUESTION in front ofthe ATTACKER?
Facebook is providinganop...
TFA'S VARIATIONS/FORMS
1. Involveoneattacker i.e., the casewhere attacker will answer
theexposedsecurity question
2. Invol...
ATTACKER CHOOSES TRUSTED FRIENDS PATH
ATTACKER'S CHOICES
Do selection offriends in anormalmanner evenwithout
POST-DATA manipulation ( works 100%)
Tryto sendcode...
POST-DATA MANIPULATION
lsd=AVo8FV8K&profileChooserItems ={"511543064":1}&
checkableitems[] =511543064
511543064ismy Facebo...
HOW TO GET THE FACEBOOK'S USER ID?
Facebook'suser numeric ID isnot public information mostofthe
time and it isnot part of ...
https://developers.facebook.com/tools/explorer/?
method=GET& ?fields=id,name
ANSWER: GRAPH API EXPLORER BY
FACEBOOK
path=V...
URL lookslike:
EVIL IDEA
https://www.facebook.com/guardian/confirm.php?
guardians[0]=511543064&guardians[1]=511543064&guar...
EVIL IDEA DOESN'T WORK
Facebookcorrectly says:
INTERESTING MESSAGE FROM FACEBOOK
WHAT DOES IT MEAN?
Ithink it means thatif an attacker selecthimself or any particular
account3 to 5times for different vic...
URL MANIPULATION'S RESULT! I.E.,
FACEBOOK'S EMAIL WITH NO FRIENDS'
NAMES
CHAIN TRUSTED FRIENDS ATTACK (CTFA)
InCTFA, attacker can make a chainof compromisedaccounts
and with thehelpofchain he may...
FACEBOOK'S DEFAULT & FIXED SECURITY
QUESTIONS SET
FACEBOOK'S SECURITY QUESTIONS SCREEN-
SHOT!
EXCERTS FROM "MIND READER" VIDEO
https://www.youtube.com/watch?v=F7pYHN9iC9I
HOW TO GET THE ANSWERS OF THESE
QUESTIONS?
ACCORDING TO "ME"
Followingways worklike charm:
-- Incase ofsocial network, answer can be foundonpublic profile.
-- Direct...
Question:
Remark:
ANOTHER BAD SECURITY PRACTICE
https://www.facebook.com/help/163063243756483
Whathappens ifa userrealize ...
INCONSISTENCY IN SECURITY QUESTIONS'
USER INTERFACE
WHAT IS YOUR REACTION IF YOU HAVE TO
GIVE AN ANSWER TO A SECURITY
QUESTION(S) THAT IS NOT EVEN A PART OF
FACEBOOK'S DEFAUL...
MY REACTION :-)
SECURITY QUESTION # 1
SECURITY QUESTION # 2
https://www.facebook.com/
HOW CAN A LEGITIMATE USER GIVE AN
ANSWER TO A SECURITY QUESTION THAT HE
HAS NEVER SET?
No Way .....
EMPIRICAL STUDY
Testedreal250 accountsofmy friendsonFacebook.
In 181 cases, Facebookdoesn'tallow us to proceed ...It means...
If asanattacker, we click on" "
181 CASES WE GOT ...
I Cannot AccessMyEmail
181 CASES (NO EMAIL ACCESS ... WE ARE
SORRY)
https://www.facebook.com/recover/extended/ineligible
IN 69 CASES
Facebookexposed the selectedsecurity questionofthevictim
OR
OptionofTrusted friends' selection
OR
Choiceamong ...
11 OUT OF 69 ACCOUNTS COMPROMISED
Out of 11 compromised accounts
8 byansweringsecurity question
AND
3 usingtrusted friends...
SOME INTERESTING OBSERVATIONS
ON FACEBOOK ANYBODY CAN SEND ANYONE A
PASSWORD RESET REQUEST IF HE KNOWS
THE USERNAME WHICH IS PUBLIC
INFORMATION
Attacker doesn't haveaccesstovictim's emailbox inorder to get
thevalid 6 digitcode but he has the above dialog box in fron...
" "will benastyexperiencefor thevictim!
We callthis " "
HERE YOU GO:
Tryagain later
Password Reset DoS
In this way,attacker canforce victim to use emailaddress or
phone andifvictim haslost his emailaddress ....
IDENTIFY ACCOU...
WORST THING
MY FRIEND'S REACTION ON WORST THING
ANOTHER TYPE OF DOS ON FACEBOOK
TRUSTED FRIEND FEATURE DOS
If an attacker hasstarted the passwordrecovery usingTFandat
thesame timevictim tries to use thi...
FACEBOOK'S SECURITY MEASURES & HOW
LEGITIMATE USERS REACT & THEIR
BYPASSES
THIS IS HOW COMMON USERS USE
FACEBOOK...
1) SECURITY ALERT VIA EMAIL OR MOBILE
SMS
As soonasattacker starts an account recoveryvia"password
reset" functionality,Fa...
USERS' REACTION ON THIS EMAIL OR SMS
USERS' REACTION ON THIS EMAIL OR SMS
In order torecognize device,Facebook uses
etc.
Whathappensifattacker clicks on " "button?
2) TEMPORARILY LOCKED
OS,IP Addr...
WHAT HAPPENS IF AN ATTACKER CLICKS ON "
CONTINUE " BUTTON?
(1)
Click" "after selecting one of the option butremember
whoisdoing selection?
(2)
Continue
An ATTACKER
(3)
(4)
(5)
(6)
(7)
(8)
ANOTHER INTERESTING ASPECT IN CASE IF
LEGITIMATE USER WILL BE ABLE TO REGAIN
ACCESS TO HIS ACCOUNT
REMEMBER (5TH STEP) I.E.,
SNAPSHOT OF ATTACKER'S EMAIL BOX
RECOGNIZED DEVICES
3) 24 HOUR LOCKED-OUT PERIOD
As an attacker this isthe biggest hurdle to cross...
DISAVOW PROCESS
Legitimate user can"disavow"theprocess any timeby clicking
on the linkintheemailhe receivedfrom Facebookor...
FOR A MOMENT FORGOT DISAVOW
24 HOUR LOCKED OUT PERIOD STARTS LIKE
THAT ...
24 HOUR LOCKED OUT PERIOD ...
24 HOUR LOCKED OUT PERIOD ...
24 HOUR LOCKED OUT PERIOD ...
GAME OVER FOR VICTIM...
HERE WE GO...
ANOTHER EMAIL FROM FACEBOOK AND
LEAKED EMAIL ADDRESS OF THE VICTIM
ETHICAL CONSIDERATIONS
FirstReported toFacebook on19-08-2012
On 23-08-2012, Igotthefollowinganswer from Facebook
SecurityT...
TWO QUESTIONS CAME TO MY MIND AFTER
READING THE EMAIL...
Isthere any attack thatisnotvery welltargeted?
Where issocialengi...
ON 24-08-2012
BUT I HAVE WAITED UNTIL THE COMPLETE
EMPIRICAL STUDY & AGAIN SENT THE
TECHNICAL REPORT/RESEARCH PAPER ON
27-06-2013
ANSWER FROM SECURITY TEAM ON 09-09-
2013
SORRY FACEBOOK :-(
It doesn't makes sensetoreproduce thisattackonTEST
ACCOUNTS...
The results wouldlook likeFAKE.
ON THE OTHER HAND ...
Our approach issimilar toa recently publishedacademic paper in
Second International Workshopon Priva...
FINALLY
All compromisedaccounts are up,runningandunder thecontrol
of their legitimateusers!
YET ANOTHER OBSERVATION I.E., MASKED
EMAIL ADDRESS AND PHONE #
WHERE IS MASKING? EMAIL ADDRESS
EXPOSED
AFTER 5-10 MINUTES MASKING AFFECT
APPEARS
WHAT ABOUT OTHER 49 SOCIAL NETWORKS'
PASSWORD RESET FUNCTIONALITY?
200 millionactive users (Feb2013) +Alexa Rank#11
( )
TWITTER (HTTPS://TWITTER.COM/?
LANG=EN)
http://en.wikipedia.org/wiki/...
ANYBODY CAN SEND ANYBODY A PASSWORD
RESET REQUEST WITH THE HELP OF
TWITTER'S USERNAME WHICH IS PUBLIC
INFORMATION :-(
JUST FOR FUN ...
I REPORTED THIS TO TWITTER SECURITY
TEAM & THIS IS WHAT THEY THINK ABOUT IT
BUT NOW TWITTER HAS ...
MAT HONAN'S STORY
http://www.wired.com/gadgetlab/2012/08/apple-amazon-
mat-honan-hacking/all/
SUPPORT TEAMS
SUPPORT TEAM'S JOB
To helpcustomers...
CAN ALSO BE USED TO COMPROMISE
ACCOUNTS :-)
OUR METHODOLOGY BY KEEPING IN MIND
THREAT MODEL
Registeredthe followingemailaddressonsocialnetworks:
user1@bletgen.net
AND...
ACADEMIA ( )HTTP://WWW.ACADEMIA.EDU/
OUR EMAIL TO ACADEMIA
INITIAL RESPONSE FROM ACADEMIA
FINAL RESPONSE OF ACADEMIA SUPPORT
TEAM
FREIZEITFREUNDE (A GERMAN-SPECIFIC
SOCIAL NETWORKING SITE)
( )HTTP://WWW.FREIZEITFREUNDE.DE/
OUR EMAIL TO THEM ...
FREIZEITFREUNDE'S SUPPORT TEAM
RESPONSE
LOKALISTEN (A GERMAN SOCIAL
NETWORKING SITE )
( )HTTP://WWW.LOKALISTEN.DE/
INITIAL RESPONSE ON OUR TICKET
OUR RESPONSE WITHOUT ""DATE OF BIRTH""
LOKALISTEN'S SUPPORT TEAM FINAL
RESPONSE
MEETUP
( )HTTP://WWW.MEETUP.COM/FIND/
SUPPORT TEAM BLOCKS ACCOUNT :)
GETGLUE (SOCIAL NETWORKS FOR TV FANS)
HTTP://GETGLUE.COM/FEED
OUR EMAIL TO THEIR SUPPORT TEAM
GETGLUE'S SUPPORT TEAM RESPONSE
They set thenew password for us i.e.,"temp " :)
DELICIOUS ( )HTTPS://DELICIOUS.COM/
DELICIOUS'S SUPPORT TEAM RESPONSE
They have switchedthe emailaddress from victims'toan
attacker controlled email address a...
FACEBOOK AS SSO
Outof50surveyed social networks,wefound
26 use Facebook aslogin-provider (SSO)
24 don'thave this feature
IMPLICATIONS OF FACEBOOK CONNECT
(1 MILLION WEBSITES HAVE INTEGRATED
WITH FACEBOOK)*+ ACCOUNT HACK
Controls emailaccounte....
HAVOC EXAMPLES
http://goo.gl/2FVTz8
http://goo.gl/uuO7Kq
GUIDELINES FOR USERS
Do not ignore email or SMS alertfrom Facebook
Do not place TOO MUCHinformation onsocialnetwork
Do not...
GUIDELINES FOR SOCIAL NETWORKS
Train your supportteams.
Facebook should raisethe bar as far ascommunicationwith
theresearc...
FOR FACEBOOK
I HOPE NOW FACEBOOK SECURITY TEAM'S
REACTION
THANKS!
Trusted Friend Attack: Guardian Angels Strike
Upcoming SlideShare
Loading in …5
×

Trusted Friend Attack: Guardian Angels Strike

  • Be the first to comment

Trusted Friend Attack: Guardian Angels Strike

  1. 1. TRUSTED FRIEND ATTACK: GUARDIAN ANGELS STRIKE Atalk byAshar Javed @ HackIn The Box,14- 17 October 2013 Kuala Lumpur,Malaysia (HITBSecConf2013)
  2. 2. GRAPH IS BIG http://theweek.com/article/index/239514/4-things-we- learned-from-facebooks-confounding-earnings-report
  3. 3. WHO AM I?
  4. 4. A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB , GERMANY A STUDENT WORKING TOWARDS HIS PHD LISTED IN ALMOST EVERY HALL OF FAME PAGES @soaj1664ashar
  5. 5. SOME OF YOU WILL WISH FOR THIS FEATURE ...
  6. 6. A SHORT STORY https://twitter.com/dimitribest/status/230677638358900736
  7. 7. A PASTE@PASTEBIN http://pastebin.com/ajaYnLYc
  8. 8. WHO TO BLAME? http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html
  9. 9. AFTER TESTING 3 TO 4 RANDOM ACCOUNTS FROM THE PASTEBIN'S PASTE I FOUND
  10. 10. AN INNOCENT QUESTION ... WhyisFacebook asking onsomebody's account? This is me This isn't me & What would beyour answer, if you arean attacker :-)
  11. 11. LEGITIMATE PASSWORD RECOVERY FLOW You haveanemail addressbutFORGOTYOUR PASSWORD
  12. 12. STEP (1) Go To https://www.facebook.com/ Click "Forgot YourPassword?"
  13. 13. Provideemail address andclick on "Search"button! STEP (2) Enter Your Email,Phone,Username or Full Name https://www.facebook.com/login/identify?ctx=recover
  14. 14. STEP (3) Choose your "Password Reset Method" & click"Continue"
  15. 15. STEP (4) A Receivedpassword secret codeviaemail
  16. 16. Enter code thatyou have receivedinemail & click"Continue" STEP (4) B Entry-Point for the SECRET CODERECEIVED:
  17. 17. STEP (5) Set "New Password"
  18. 18. STEP (6) WelcometoFacebook, MSc.Ashar
  19. 19. INFORMATIVE EMAIL FROM FACEBOOK
  20. 20. WHAT IF YOU LOST OR FORGOT BOTH EMAIL ADDRESS + PASSWORD
  21. 21. FACEBOOK HAD A SOLUTION NAMED TRUSTED FRIENDS (TF)
  22. 22. ""TF IS BASED ON SOCIAL AUTHENTICATION"" & "BringingSocialtoSecurity "isGOOD BUT ...
  23. 23. http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf
  24. 24. TRUSTED FRIENDS FEATURE Introduced in October 2011 ( ) https://www.facebook.com/notes/facebook- security/national-cybersecurity-awareness-month- updates/10150335022240766
  25. 25. TRUSTED FRIENDS "It'ssort ofsimilar to givinga house key to yourfriendswhen you go onvacation--pick the friends youmost trustincaseyou need theirhelp" https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness- month-updates/10150335022240766
  26. 26. TRUSTED FRIENDS ACCORDING TO READWRITE: "" Who Wants ToBeA Millionaire" lifelineconcept- except it's not a one-timedeal." http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTq
  27. 27. GUARDIAN ANGELS http://sophosnews.files.wordpress.com/2011/10/facebook- security-infographic.pdf
  28. 28. HOW TRUSTED FRIENDS FEATURE WORKS?
  29. 29. LIST # 1
  30. 30. LIST # 2
  31. 31. LIST # 3
  32. 32. REVIEW FRIENDS
  33. 33. ENTER CODES & GAIN ACCESS TO YOUR ACCOUNT
  34. 34. SCREEN-SHOT OF FAKE PROFILE
  35. 35. 4 DIGIT CODE
  36. 36. ANOTHER INFORMATIVE EMAIL TO LEGITIMATE USER FROM FACEBOOK
  37. 37. 600,000+ COMPROMISED ACCOUNT LOGINS EVERY DAY ON FACEBOOK, OFFICIAL FIGURES REVEAL ( )HTTP://GOO.GL/FNP27Q by https://twitter.com/gcluley
  38. 38. @GCLULEY NOTED IN HIS POST HTTP://GOO.GL/FNP27Q
  39. 39. QUESTION YOU MIGHT THINKING ...
  40. 40. THREAT MODEL Attacker isonvictim's friends'list &cancreatenew email address(es) thatare requiredfor compromising accounts. Attacker can onlyleverage "forgot yourpassword"functionality inorder to compromise accountsand atthe same timewedon't consider "compromisingofanemail accountsoflegitimate user(s)"
  41. 41. EMAIL ADDRESS MUST BE NEW FOR EVERY TARGET
  42. 42. FACEBOOK FRIEND VS REAL LIFE FRIEND http://blogs.mcafee.com/consumer/fake-friends
  43. 43. A SHORT FUN STUDY Created3 FAKEACCOUNTS andsend Friendship requeststo TWENTY ( 20 ) friends of mine on Facebook. After some time, 8 friendshave acceptedall3 requests
  44. 44. DATA SCIENCE OF THE FACEBOOK WORLD On average aFacebook user has 342 friends! DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR JUST FACEBOOK FRIENDS OR WHAT ...? http://blog.stephenwolfram.com/2013/04/data-science-of-the- facebook-world/
  45. 45. SUMMARIZE EVERYTHING ABOUT FACEBOOK & REAL LIFE FRIENDS http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/
  46. 46. TRUSTED FRIEND ATTACK (TFA) Inorder to startTFA, we needvictim's Facebookusername and FYI, it is PUBLIC INFORMATION & part of FacebookURL. e.g., https://www.facebook.com/ashar.javed
  47. 47. " " ONCE TARGET SELECTED Repeatthe "Forgot YourPassword" processas mentioned before until STEP (3) i.e., No longer haveaccesstothese?
  48. 48. NO LONGER HAVE ACCESS TO THESE? sometimes opensthefollowingdialog box(old &new version) :) HOWAWESOMETHEY ARE?:-) https://www.facebook.com/recover/extended Inorder to findtheanswer of" sometimes ",I didan empirical study (discusslater).
  49. 49. QUESTIONS... How canFacebook bindthis new emailaddress or phone number tothe legitimate user's address or phone? How can Facebookdifferentiatebetweenanaccountrecovery procedurestarted bya legitimateuser and the one startedby an attacker? Is it evenpossible? Ithink NO!
  50. 50. CREATE NEW EMAIL ADDRESS AND ENTER IN THE PREVIOUS DIALOG BOX & HERE YOU HAVE:
  51. 51. QUESTION WhyisFacebook exposingtheoneselected PRIVATE SECURITY QUESTION in front ofthe ATTACKER? Facebook is providinganoptiontotheattacker thathe canselect from two routes i.e., 1. Answer SecurityQuestion 2. Choose Three Friends of Attacker's Choice
  52. 52. TFA'S VARIATIONS/FORMS 1. Involveoneattacker i.e., the casewhere attacker will answer theexposedsecurity question 2. Involvethree friendsi.e., the casewhere attacker chooses three friendsofhischoice
  53. 53. ATTACKER CHOOSES TRUSTED FRIENDS PATH
  54. 54. ATTACKER'S CHOICES Do selection offriends in anormalmanner evenwithout POST-DATA manipulation ( works 100%) Tryto sendcodes to hiscontrolledaccounts thatarenot on victim's friendlist.( Doesn't work) Tryto sendcodes to an attacker's controlled accountsthat are on victim'sfriendlist but not in the presented listsoftrusted friends. (works 50% ) Tryto sendcodes to an attacker's controlled accountsthat are on the presented listof trustedfriendsand use POST-DATA manipulation (defeat Facebook's shortenof listitems). ( works 100% ) Tryto sendallcodesto himself(evil idea). ( Doesn't work)
  55. 55. POST-DATA MANIPULATION lsd=AVo8FV8K&profileChooserItems ={"511543064":1}& checkableitems[] =511543064 511543064ismy Facebooknumeric ID.
  56. 56. HOW TO GET THE FACEBOOK'S USER ID? Facebook'suser numeric ID isnot public information mostofthe time and it isnot part of URL all thetime!
  57. 57. https://developers.facebook.com/tools/explorer/? method=GET& ?fields=id,name ANSWER: GRAPH API EXPLORER BY FACEBOOK path=VICTIM-USERNAME
  58. 58. URL lookslike: EVIL IDEA https://www.facebook.com/guardian/confirm.php? guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064 &cuid=AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm- 0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW- ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv- MpzCcAQT2jxLtEa25YGlg_qg&cp=testpurposexss@gmail.com
  59. 59. EVIL IDEA DOESN'T WORK Facebookcorrectly says:
  60. 60. INTERESTING MESSAGE FROM FACEBOOK
  61. 61. WHAT DOES IT MEAN? Ithink it means thatif an attacker selecthimself or any particular account3 to 5times for different victimsthenFacebook's block access to particular account!
  62. 62. URL MANIPULATION'S RESULT! I.E., FACEBOOK'S EMAIL WITH NO FRIENDS' NAMES
  63. 63. CHAIN TRUSTED FRIENDS ATTACK (CTFA) InCTFA, attacker can make a chainof compromisedaccounts and with thehelpofchain he may compromisedaccount(s)that are evennotinhisfriends list.
  64. 64. FACEBOOK'S DEFAULT & FIXED SECURITY QUESTIONS SET
  65. 65. FACEBOOK'S SECURITY QUESTIONS SCREEN- SHOT!
  66. 66. EXCERTS FROM "MIND READER" VIDEO https://www.youtube.com/watch?v=F7pYHN9iC9I
  67. 67. HOW TO GET THE ANSWERS OF THESE QUESTIONS?
  68. 68. ACCORDING TO "ME" Followingways worklike charm: -- Incase ofsocial network, answer can be foundonpublic profile. -- Directly ask the answer viaroutine Facebook chat...most of the time you will getthe answer. -- Make aQUIZ related to securityquestion and postto yourfriends. -- In case of family membersorclose friends,youalready know the answer.
  69. 69. Question: Remark: ANOTHER BAD SECURITY PRACTICE https://www.facebook.com/help/163063243756483 Whathappens ifa userrealize after answering/settingthequestion thathehaschosena weak answer? In caseof compromisedaccounts,if attacker has proceeded via answering the securityquestion,hecandothe samething sometime after because "QnA"remains same.
  70. 70. INCONSISTENCY IN SECURITY QUESTIONS' USER INTERFACE
  71. 71. WHAT IS YOUR REACTION IF YOU HAVE TO GIVE AN ANSWER TO A SECURITY QUESTION(S) THAT IS NOT EVEN A PART OF FACEBOOK'S DEFAULT SECURITY QUESTIONS' LIST?
  72. 72. MY REACTION :-)
  73. 73. SECURITY QUESTION # 1
  74. 74. SECURITY QUESTION # 2
  75. 75. https://www.facebook.com/ HOW CAN A LEGITIMATE USER GIVE AN ANSWER TO A SECURITY QUESTION THAT HE HAS NEVER SET? No Way ...BUT I know theanswer that workssometimes :-) https://www.facebook.com/ashar.javed(ajaved) mscashar.javed (mjaved)
  76. 76. EMPIRICAL STUDY Testedreal250 accountsofmy friendsonFacebook. In 181 cases, Facebookdoesn'tallow us to proceed ...It means no securityquestion exposed + nooptionoftrustedfriends In69cases,Facebook allows ustoPROVIDEa NEWEMAIL ADDRESSandonce provided, wecanhave either security questionexposedor trusted friends featureappearsor BOTH
  77. 77. If asanattacker, we click on" " 181 CASES WE GOT ... I Cannot AccessMyEmail
  78. 78. 181 CASES (NO EMAIL ACCESS ... WE ARE SORRY) https://www.facebook.com/recover/extended/ineligible
  79. 79. IN 69 CASES Facebookexposed the selectedsecurity questionofthevictim OR OptionofTrusted friends' selection OR Choiceamong above two options
  80. 80. 11 OUT OF 69 ACCOUNTS COMPROMISED Out of 11 compromised accounts 8 byansweringsecurity question AND 3 usingtrusted friends feature ENOUGHFORPOC! #ofcompromised accountscanbe easily raisedto20-25 but requiresmore work& motivation :-)
  81. 81. SOME INTERESTING OBSERVATIONS
  82. 82. ON FACEBOOK ANYBODY CAN SEND ANYONE A PASSWORD RESET REQUEST IF HE KNOWS THE USERNAME WHICH IS PUBLIC INFORMATION
  83. 83. Attacker doesn't haveaccesstovictim's emailbox inorder to get thevalid 6 digitcode but he has the above dialog box in frontof him ... AT THE SAME TIME DENIAL-OF-SERVICE (DOS) VICTIM What ifattacker will enter 20-30 times wrongsecretcode?
  84. 84. " "will benastyexperiencefor thevictim! We callthis " " HERE YOU GO: Tryagain later Password Reset DoS
  85. 85. In this way,attacker canforce victim to use emailaddress or phone andifvictim haslost his emailaddress .... IDENTIFY ACCOUNT ANOTHER WAY
  86. 86. WORST THING
  87. 87. MY FRIEND'S REACTION ON WORST THING
  88. 88. ANOTHER TYPE OF DOS ON FACEBOOK
  89. 89. TRUSTED FRIEND FEATURE DOS If an attacker hasstarted the passwordrecovery usingTFandat thesame timevictim tries to use thisfeature...hewill receive the followingmessage from Facebook
  90. 90. FACEBOOK'S SECURITY MEASURES & HOW LEGITIMATE USERS REACT & THEIR BYPASSES
  91. 91. THIS IS HOW COMMON USERS USE FACEBOOK...
  92. 92. 1) SECURITY ALERT VIA EMAIL OR MOBILE SMS As soonasattacker starts an account recoveryvia"password reset" functionality,Facebook immediatelysends an emailor sms alert tothe legitimate user.
  93. 93. USERS' REACTION ON THIS EMAIL OR SMS
  94. 94. USERS' REACTION ON THIS EMAIL OR SMS
  95. 95. In order torecognize device,Facebook uses etc. Whathappensifattacker clicks on " "button? 2) TEMPORARILY LOCKED OS,IP Address, Browser &Estimated Location Continue
  96. 96. WHAT HAPPENS IF AN ATTACKER CLICKS ON " CONTINUE " BUTTON?
  97. 97. (1)
  98. 98. Click" "after selecting one of the option butremember whoisdoing selection? (2) Continue An ATTACKER
  99. 99. (3)
  100. 100. (4)
  101. 101. (5)
  102. 102. (6)
  103. 103. (7)
  104. 104. (8)
  105. 105. ANOTHER INTERESTING ASPECT IN CASE IF LEGITIMATE USER WILL BE ABLE TO REGAIN ACCESS TO HIS ACCOUNT
  106. 106. REMEMBER (5TH STEP) I.E.,
  107. 107. SNAPSHOT OF ATTACKER'S EMAIL BOX
  108. 108. RECOGNIZED DEVICES
  109. 109. 3) 24 HOUR LOCKED-OUT PERIOD As an attacker this isthe biggest hurdle to cross...
  110. 110. DISAVOW PROCESS Legitimate user can"disavow"theprocess any timeby clicking on the linkintheemailhe receivedfrom Facebookor making Facebook activityduringthis time. BUT Majorityoftheusers,as shown in users' reaction consider Facebook'sinformative/warning emails as spam.
  111. 111. FOR A MOMENT FORGOT DISAVOW
  112. 112. 24 HOUR LOCKED OUT PERIOD STARTS LIKE THAT ...
  113. 113. 24 HOUR LOCKED OUT PERIOD ...
  114. 114. 24 HOUR LOCKED OUT PERIOD ...
  115. 115. 24 HOUR LOCKED OUT PERIOD ...
  116. 116. GAME OVER FOR VICTIM...
  117. 117. HERE WE GO...
  118. 118. ANOTHER EMAIL FROM FACEBOOK AND LEAKED EMAIL ADDRESS OF THE VICTIM
  119. 119. ETHICAL CONSIDERATIONS FirstReported toFacebook on19-08-2012 On 23-08-2012, Igotthefollowinganswer from Facebook SecurityTeam:
  120. 120. TWO QUESTIONS CAME TO MY MIND AFTER READING THE EMAIL... Isthere any attack thatisnotvery welltargeted? Where issocialengineering in this attack?
  121. 121. ON 24-08-2012
  122. 122. BUT I HAVE WAITED UNTIL THE COMPLETE EMPIRICAL STUDY & AGAIN SENT THE TECHNICAL REPORT/RESEARCH PAPER ON 27-06-2013
  123. 123. ANSWER FROM SECURITY TEAM ON 09-09- 2013
  124. 124. SORRY FACEBOOK :-( It doesn't makes sensetoreproduce thisattackonTEST ACCOUNTS... The results wouldlook likeFAKE.
  125. 125. ON THE OTHER HAND ... Our approach issimilar toa recently publishedacademic paper in Second International Workshopon PrivacyandSecurity in Online Social Media Co-located withWWW2013 ( ) http://precog.iiitd.edu.in/events/psosm2013/9psosm3s- parwani.pdf
  126. 126. FINALLY All compromisedaccounts are up,runningandunder thecontrol of their legitimateusers!
  127. 127. YET ANOTHER OBSERVATION I.E., MASKED EMAIL ADDRESS AND PHONE #
  128. 128. WHERE IS MASKING? EMAIL ADDRESS EXPOSED
  129. 129. AFTER 5-10 MINUTES MASKING AFFECT APPEARS
  130. 130. WHAT ABOUT OTHER 49 SOCIAL NETWORKS' PASSWORD RESET FUNCTIONALITY?
  131. 131. 200 millionactive users (Feb2013) +Alexa Rank#11 ( ) TWITTER (HTTPS://TWITTER.COM/? LANG=EN) http://en.wikipedia.org/wiki/Twitter
  132. 132. ANYBODY CAN SEND ANYBODY A PASSWORD RESET REQUEST WITH THE HELP OF TWITTER'S USERNAME WHICH IS PUBLIC INFORMATION :-(
  133. 133. JUST FOR FUN ...
  134. 134. I REPORTED THIS TO TWITTER SECURITY TEAM & THIS IS WHAT THEY THINK ABOUT IT
  135. 135. BUT NOW TWITTER HAS ...
  136. 136. MAT HONAN'S STORY http://www.wired.com/gadgetlab/2012/08/apple-amazon- mat-honan-hacking/all/
  137. 137. SUPPORT TEAMS
  138. 138. SUPPORT TEAM'S JOB To helpcustomers...
  139. 139. CAN ALSO BE USED TO COMPROMISE ACCOUNTS :-)
  140. 140. OUR METHODOLOGY BY KEEPING IN MIND THREAT MODEL Registeredthe followingemailaddressonsocialnetworks: user1@bletgen.net AND The followingistheattacker'saddress and goalis to compromise the victim'saccountlabelled withabove email address jim@mediaob.de Attacker's addressis noteven registered onsocialnetworks!
  141. 141. ACADEMIA ( )HTTP://WWW.ACADEMIA.EDU/
  142. 142. OUR EMAIL TO ACADEMIA
  143. 143. INITIAL RESPONSE FROM ACADEMIA
  144. 144. FINAL RESPONSE OF ACADEMIA SUPPORT TEAM
  145. 145. FREIZEITFREUNDE (A GERMAN-SPECIFIC SOCIAL NETWORKING SITE) ( )HTTP://WWW.FREIZEITFREUNDE.DE/
  146. 146. OUR EMAIL TO THEM ...
  147. 147. FREIZEITFREUNDE'S SUPPORT TEAM RESPONSE
  148. 148. LOKALISTEN (A GERMAN SOCIAL NETWORKING SITE ) ( )HTTP://WWW.LOKALISTEN.DE/
  149. 149. INITIAL RESPONSE ON OUR TICKET
  150. 150. OUR RESPONSE WITHOUT ""DATE OF BIRTH""
  151. 151. LOKALISTEN'S SUPPORT TEAM FINAL RESPONSE
  152. 152. MEETUP ( )HTTP://WWW.MEETUP.COM/FIND/
  153. 153. SUPPORT TEAM BLOCKS ACCOUNT :)
  154. 154. GETGLUE (SOCIAL NETWORKS FOR TV FANS) HTTP://GETGLUE.COM/FEED
  155. 155. OUR EMAIL TO THEIR SUPPORT TEAM
  156. 156. GETGLUE'S SUPPORT TEAM RESPONSE They set thenew password for us i.e.,"temp " :)
  157. 157. DELICIOUS ( )HTTPS://DELICIOUS.COM/
  158. 158. DELICIOUS'S SUPPORT TEAM RESPONSE They have switchedthe emailaddress from victims'toan attacker controlled email address and havesent passwordreset linkto the attacker'semail address.
  159. 159. FACEBOOK AS SSO Outof50surveyed social networks,wefound 26 use Facebook aslogin-provider (SSO) 24 don'thave this feature
  160. 160. IMPLICATIONS OF FACEBOOK CONNECT (1 MILLION WEBSITES HAVE INTEGRATED WITH FACEBOOK)*+ ACCOUNT HACK Controls emailaccounte.g.,Yahoo Go for shoppinge.g.,Etsy Create havoc for victim :) 79%ofsocialmedia log insby online retailers are with Facebook ( ) 60 millionusers of FacebookConnectin2009 accordingto TechCrunchreport( ) http://socialmediatoday.com/node/1656466 http://goo.gl/a6lsCx *http://goo.gl/x8BKe
  161. 161. HAVOC EXAMPLES http://goo.gl/2FVTz8 http://goo.gl/uuO7Kq
  162. 162. GUIDELINES FOR USERS Do not ignore email or SMS alertfrom Facebook Do not place TOO MUCHinformation onsocialnetwork Do not accept friend requestsfrom strangers Enable log-in notifications
  163. 163. GUIDELINES FOR SOCIAL NETWORKS Train your supportteams. Facebook should raisethe bar as far ascommunicationwith theresearchersor bugsubmitters isconcerned. For Facebook: Please don't send TOOMANYEMAILSbecause users startbelievingthat thesearespam emails. Joewrote in his post( ): In caseofTFA,Facebook failed in "CORRECTLY IDENTIFYINGandREALIZATION OFAN INFORMATION FLOWPROBLEM " http://goo.gl/Wf6QMZ
  164. 164. FOR FACEBOOK
  165. 165. I HOPE NOW FACEBOOK SECURITY TEAM'S REACTION
  166. 166. THANKS!

×