1. TRUSTED FRIEND
ATTACK:
GUARDIAN ANGELS STRIKE
Atalk byAshar Javed
@
HackIn The Box,14- 17 October 2013
Kuala Lumpur,Malaysia (HITBSecConf2013)

2. GRAPH IS BIG
http://theweek.com/article/index/239514/4-things-we-
learned-from-facebooks-confounding-earnings-report

3. WHO AM I?

4. A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB ,
GERMANY
A STUDENT WORKING TOWARDS HIS PHD
LISTED IN ALMOST EVERY HALL OF FAME PAGES
@soaj1664ashar

5. SOME OF YOU WILL WISH FOR THIS FEATURE
...

6. A SHORT STORY
https://twitter.com/dimitribest/status/230677638358900736

7. A PASTE@PASTEBIN
http://pastebin.com/ajaYnLYc

8. WHO TO BLAME?
http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html

9. AFTER TESTING 3 TO 4 RANDOM ACCOUNTS
FROM THE PASTEBIN'S PASTE I FOUND

10. AN INNOCENT QUESTION ...
WhyisFacebook asking onsomebody's account?
This is me
This isn't me
&
What would beyour answer, if you arean attacker :-)

11. LEGITIMATE PASSWORD RECOVERY FLOW
You haveanemail addressbutFORGOTYOUR PASSWORD

12. STEP (1)
Go To https://www.facebook.com/
Click "Forgot YourPassword?"

13. Provideemail address andclick on "Search"button!
STEP (2)
Enter Your Email,Phone,Username or Full Name
https://www.facebook.com/login/identify?ctx=recover

14. STEP (3)
Choose your "Password Reset Method" & click"Continue"

15. STEP (4) A
Receivedpassword secret codeviaemail

16. Enter code thatyou have receivedinemail & click"Continue"
STEP (4) B
Entry-Point for the SECRET CODERECEIVED:

17. STEP (5)
Set "New Password"

18. STEP (6)
WelcometoFacebook, MSc.Ashar

19. INFORMATIVE EMAIL FROM FACEBOOK

20. WHAT IF YOU LOST OR FORGOT BOTH
EMAIL ADDRESS
+
PASSWORD

21. FACEBOOK HAD A SOLUTION NAMED
TRUSTED FRIENDS (TF)

22. ""TF IS BASED ON SOCIAL AUTHENTICATION""
&
"BringingSocialtoSecurity "isGOOD
BUT ...

23. http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf

24. TRUSTED FRIENDS FEATURE
Introduced in October 2011
(
)
https://www.facebook.com/notes/facebook-
security/national-cybersecurity-awareness-month-
updates/10150335022240766

25. TRUSTED FRIENDS
"It'ssort ofsimilar to givinga house key to yourfriendswhen
you go onvacation--pick the friends youmost trustincaseyou
need theirhelp"
https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-
month-updates/10150335022240766

26. TRUSTED FRIENDS ACCORDING TO
READWRITE:
"" Who Wants ToBeA Millionaire" lifelineconcept- except it's
not a one-timedeal."
http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTq

27. GUARDIAN ANGELS
http://sophosnews.files.wordpress.com/2011/10/facebook-
security-infographic.pdf

28. HOW TRUSTED FRIENDS FEATURE WORKS?

29. LIST # 1

30. LIST # 2

31. LIST # 3

32. REVIEW FRIENDS

33. ENTER CODES & GAIN ACCESS TO YOUR
ACCOUNT

34. SCREEN-SHOT OF FAKE PROFILE

35. 4 DIGIT CODE

36. ANOTHER INFORMATIVE EMAIL TO
LEGITIMATE USER FROM FACEBOOK

37. 600,000+ COMPROMISED ACCOUNT LOGINS
EVERY DAY ON FACEBOOK, OFFICIAL FIGURES
REVEAL ( )HTTP://GOO.GL/FNP27Q
by
https://twitter.com/gcluley

38. @GCLULEY NOTED IN HIS POST
HTTP://GOO.GL/FNP27Q

39. QUESTION YOU MIGHT THINKING ...

40. THREAT MODEL
Attacker isonvictim's friends'list &cancreatenew email
address(es) thatare requiredfor compromising accounts.
Attacker can onlyleverage "forgot yourpassword"functionality
inorder to compromise accountsand atthe same timewedon't
consider "compromisingofanemail accountsoflegitimate
user(s)"

41. EMAIL ADDRESS MUST BE NEW FOR EVERY
TARGET

42. FACEBOOK FRIEND VS REAL LIFE FRIEND
http://blogs.mcafee.com/consumer/fake-friends

43. A SHORT FUN STUDY
Created3 FAKEACCOUNTS andsend Friendship requeststo
TWENTY ( 20 ) friends of mine on Facebook.
After some time, 8 friendshave acceptedall3 requests

44. DATA SCIENCE OF THE FACEBOOK WORLD
On average aFacebook user has 342 friends!
DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR
JUST FACEBOOK FRIENDS OR WHAT ...?
http://blog.stephenwolfram.com/2013/04/data-science-of-the-
facebook-world/

45. SUMMARIZE EVERYTHING ABOUT FACEBOOK
& REAL LIFE FRIENDS
http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/

46. TRUSTED FRIEND ATTACK (TFA)
Inorder to startTFA, we needvictim's Facebookusername and
FYI, it is PUBLIC INFORMATION & part of FacebookURL.
e.g.,
https://www.facebook.com/ashar.javed

47. " "
ONCE TARGET SELECTED
Repeatthe "Forgot YourPassword" processas mentioned
before until STEP (3) i.e.,
No longer haveaccesstothese?

48. NO LONGER HAVE ACCESS TO THESE?
sometimes opensthefollowingdialog box(old &new version) :)
HOWAWESOMETHEY ARE?:-)
https://www.facebook.com/recover/extended
Inorder to findtheanswer of" sometimes ",I didan empirical
study (discusslater).

49. QUESTIONS...
How canFacebook bindthis new emailaddress or phone
number tothe legitimate user's address or phone?
How can Facebookdifferentiatebetweenanaccountrecovery
procedurestarted bya legitimateuser and the one startedby an
attacker?
Is it evenpossible?
Ithink NO!

50. CREATE NEW EMAIL ADDRESS AND ENTER IN
THE PREVIOUS DIALOG BOX & HERE YOU
HAVE:

51. QUESTION
WhyisFacebook exposingtheoneselected PRIVATE
SECURITY QUESTION in front ofthe ATTACKER?
Facebook is providinganoptiontotheattacker thathe canselect
from two routes i.e.,
1. Answer SecurityQuestion
2. Choose Three Friends of Attacker's Choice

52. TFA'S VARIATIONS/FORMS
1. Involveoneattacker i.e., the casewhere attacker will answer
theexposedsecurity question
2. Involvethree friendsi.e., the casewhere attacker chooses three
friendsofhischoice

53. ATTACKER CHOOSES TRUSTED FRIENDS PATH

54. ATTACKER'S CHOICES
Do selection offriends in anormalmanner evenwithout
POST-DATA manipulation ( works 100%)
Tryto sendcodes to hiscontrolledaccounts thatarenot on
victim's friendlist.( Doesn't work)
Tryto sendcodes to an attacker's controlled accountsthat are
on victim'sfriendlist but not in the presented listsoftrusted
friends. (works 50% )
Tryto sendcodes to an attacker's controlled accountsthat are
on the presented listof trustedfriendsand use POST-DATA
manipulation (defeat Facebook's shortenof listitems). ( works
100% )
Tryto sendallcodesto himself(evil idea). ( Doesn't work)

55. POST-DATA MANIPULATION
lsd=AVo8FV8K&profileChooserItems ={"511543064":1}&
checkableitems[] =511543064
511543064ismy Facebooknumeric ID.

56. HOW TO GET THE FACEBOOK'S USER ID?
Facebook'suser numeric ID isnot public information mostofthe
time and it isnot part of URL all thetime!

57. https://developers.facebook.com/tools/explorer/?
method=GET& ?fields=id,name
ANSWER: GRAPH API EXPLORER BY
FACEBOOK
path=VICTIM-USERNAME

58. URL lookslike:
EVIL IDEA
https://www.facebook.com/guardian/confirm.php?
guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064
&cuid=AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm-
0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW-
ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv-
MpzCcAQT2jxLtEa25YGlg_qg&cp=testpurposexss@gmail.com

59. EVIL IDEA DOESN'T WORK
Facebookcorrectly says:

60. INTERESTING MESSAGE FROM FACEBOOK

61. WHAT DOES IT MEAN?
Ithink it means thatif an attacker selecthimself or any particular
account3 to 5times for different victimsthenFacebook's block
access to particular account!

62. URL MANIPULATION'S RESULT! I.E.,
FACEBOOK'S EMAIL WITH NO FRIENDS'
NAMES

64. CHAIN TRUSTED FRIENDS ATTACK (CTFA)
InCTFA, attacker can make a chainof compromisedaccounts
and with thehelpofchain he may compromisedaccount(s)that
are evennotinhisfriends list.

65. FACEBOOK'S DEFAULT & FIXED SECURITY
QUESTIONS SET

66. FACEBOOK'S SECURITY QUESTIONS SCREEN-
SHOT!

67. EXCERTS FROM "MIND READER" VIDEO
https://www.youtube.com/watch?v=F7pYHN9iC9I

68. HOW TO GET THE ANSWERS OF THESE
QUESTIONS?

69. ACCORDING TO "ME"
Followingways worklike charm:
-- Incase ofsocial network, answer can be foundonpublic profile.
-- Directly ask the answer viaroutine Facebook chat...most of the
time you will getthe answer.
-- Make aQUIZ related to securityquestion and postto yourfriends.
-- In case of family membersorclose friends,youalready know the
answer.

70. Question:
Remark:
ANOTHER BAD SECURITY PRACTICE
https://www.facebook.com/help/163063243756483
Whathappens ifa userrealize after
answering/settingthequestion thathehaschosena weak
answer?
In caseof compromisedaccounts,if attacker has
proceeded via answering the securityquestion,hecandothe
samething sometime after because "QnA"remains same.

71. INCONSISTENCY IN SECURITY QUESTIONS'
USER INTERFACE

72. WHAT IS YOUR REACTION IF YOU HAVE TO
GIVE AN ANSWER TO A SECURITY
QUESTION(S) THAT IS NOT EVEN A PART OF
FACEBOOK'S DEFAULT SECURITY QUESTIONS'
LIST?

73. MY REACTION :-)

74. SECURITY QUESTION # 1

75. SECURITY QUESTION # 2

76. https://www.facebook.com/
HOW CAN A LEGITIMATE USER GIVE AN
ANSWER TO A SECURITY QUESTION THAT HE
HAS NEVER SET?
No Way ...BUT
I know theanswer that workssometimes :-)
https://www.facebook.com/ashar.javed(ajaved)
mscashar.javed (mjaved)

77. EMPIRICAL STUDY
Testedreal250 accountsofmy friendsonFacebook.
In 181 cases, Facebookdoesn'tallow us to proceed ...It means no
securityquestion exposed + nooptionoftrustedfriends
In69cases,Facebook allows ustoPROVIDEa NEWEMAIL
ADDRESSandonce provided, wecanhave either security
questionexposedor trusted friends featureappearsor BOTH

78. If asanattacker, we click on" "
181 CASES WE GOT ...
I Cannot AccessMyEmail

79. 181 CASES (NO EMAIL ACCESS ... WE ARE
SORRY)
https://www.facebook.com/recover/extended/ineligible

80. IN 69 CASES
Facebookexposed the selectedsecurity questionofthevictim
OR
OptionofTrusted friends' selection
OR
Choiceamong above two options

81. 11 OUT OF 69 ACCOUNTS COMPROMISED
Out of 11 compromised accounts
8 byansweringsecurity question
AND
3 usingtrusted friends feature
ENOUGHFORPOC! #ofcompromised accountscanbe easily
raisedto20-25 but requiresmore work& motivation :-)

82. SOME INTERESTING OBSERVATIONS

83. ON FACEBOOK ANYBODY CAN SEND ANYONE A
PASSWORD RESET REQUEST IF HE KNOWS
THE USERNAME WHICH IS PUBLIC
INFORMATION

84. Attacker doesn't haveaccesstovictim's emailbox inorder to get
thevalid 6 digitcode but he has the above dialog box in frontof
him ...
AT THE SAME TIME DENIAL-OF-SERVICE
(DOS) VICTIM
What ifattacker will enter 20-30 times wrongsecretcode?

85. " "will benastyexperiencefor thevictim!
We callthis " "
HERE YOU GO:
Tryagain later
Password Reset DoS

86. In this way,attacker canforce victim to use emailaddress or
phone andifvictim haslost his emailaddress ....
IDENTIFY ACCOUNT ANOTHER WAY

87. WORST THING

88. MY FRIEND'S REACTION ON WORST THING

89. ANOTHER TYPE OF DOS ON FACEBOOK

90. TRUSTED FRIEND FEATURE DOS
If an attacker hasstarted the passwordrecovery usingTFandat
thesame timevictim tries to use thisfeature...hewill receive the
followingmessage from Facebook

91. FACEBOOK'S SECURITY MEASURES & HOW
LEGITIMATE USERS REACT & THEIR
BYPASSES

92. THIS IS HOW COMMON USERS USE
FACEBOOK...

93. 1) SECURITY ALERT VIA EMAIL OR MOBILE
SMS
As soonasattacker starts an account recoveryvia"password
reset" functionality,Facebook immediatelysends an emailor sms
alert tothe legitimate user.

94. USERS' REACTION ON THIS EMAIL OR SMS

95. USERS' REACTION ON THIS EMAIL OR SMS

96. In order torecognize device,Facebook uses
etc.
Whathappensifattacker clicks on " "button?
2) TEMPORARILY LOCKED
OS,IP Address,
Browser &Estimated Location
Continue

97. WHAT HAPPENS IF AN ATTACKER CLICKS ON "
CONTINUE " BUTTON?

98. (1)

99. Click" "after selecting one of the option butremember
whoisdoing selection?
(2)
Continue
An ATTACKER

100. (3)

101. (4)

102. (5)

103. (6)

104. (7)

105. (8)

106. ANOTHER INTERESTING ASPECT IN CASE IF
LEGITIMATE USER WILL BE ABLE TO REGAIN
ACCESS TO HIS ACCOUNT

107. REMEMBER (5TH STEP) I.E.,

108. SNAPSHOT OF ATTACKER'S EMAIL BOX

109. RECOGNIZED DEVICES

110. 3) 24 HOUR LOCKED-OUT PERIOD
As an attacker this isthe biggest hurdle to cross...

111. DISAVOW PROCESS
Legitimate user can"disavow"theprocess any timeby clicking
on the linkintheemailhe receivedfrom Facebookor making
Facebook activityduringthis time.
BUT
Majorityoftheusers,as shown in users' reaction consider
Facebook'sinformative/warning emails as spam.

112. FOR A MOMENT FORGOT DISAVOW

113. 24 HOUR LOCKED OUT PERIOD STARTS LIKE
THAT ...

114. 24 HOUR LOCKED OUT PERIOD ...

115. 24 HOUR LOCKED OUT PERIOD ...

116. 24 HOUR LOCKED OUT PERIOD ...

117. GAME OVER FOR VICTIM...

118. HERE WE GO...

119. ANOTHER EMAIL FROM FACEBOOK AND
LEAKED EMAIL ADDRESS OF THE VICTIM

120. ETHICAL CONSIDERATIONS
FirstReported toFacebook on19-08-2012
On 23-08-2012, Igotthefollowinganswer from Facebook
SecurityTeam:

121. TWO QUESTIONS CAME TO MY MIND AFTER
READING THE EMAIL...
Isthere any attack thatisnotvery welltargeted?
Where issocialengineering in this attack?

122. ON 24-08-2012

123. BUT I HAVE WAITED UNTIL THE COMPLETE
EMPIRICAL STUDY & AGAIN SENT THE
TECHNICAL REPORT/RESEARCH PAPER ON
27-06-2013

124. ANSWER FROM SECURITY TEAM ON 09-09-
2013

125. SORRY FACEBOOK :-(
It doesn't makes sensetoreproduce thisattackonTEST
ACCOUNTS...
The results wouldlook likeFAKE.

126. ON THE OTHER HAND ...
Our approach issimilar toa recently publishedacademic paper in
Second International Workshopon PrivacyandSecurity in
Online Social Media
Co-located withWWW2013
(
)
http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-
parwani.pdf

127. FINALLY
All compromisedaccounts are up,runningandunder thecontrol
of their legitimateusers!

128. YET ANOTHER OBSERVATION I.E., MASKED
EMAIL ADDRESS AND PHONE #

129. WHERE IS MASKING? EMAIL ADDRESS
EXPOSED

130. AFTER 5-10 MINUTES MASKING AFFECT
APPEARS

131. WHAT ABOUT OTHER 49 SOCIAL NETWORKS'
PASSWORD RESET FUNCTIONALITY?

132. 200 millionactive users (Feb2013) +Alexa Rank#11
( )
TWITTER (HTTPS://TWITTER.COM/?
LANG=EN)
http://en.wikipedia.org/wiki/Twitter

133. ANYBODY CAN SEND ANYBODY A PASSWORD
RESET REQUEST WITH THE HELP OF
TWITTER'S USERNAME WHICH IS PUBLIC
INFORMATION :-(

134. JUST FOR FUN ...

135. I REPORTED THIS TO TWITTER SECURITY
TEAM & THIS IS WHAT THEY THINK ABOUT IT

136. BUT NOW TWITTER HAS ...

137. MAT HONAN'S STORY
http://www.wired.com/gadgetlab/2012/08/apple-amazon-
mat-honan-hacking/all/

138. SUPPORT TEAMS

139. SUPPORT TEAM'S JOB
To helpcustomers...

140. CAN ALSO BE USED TO COMPROMISE
ACCOUNTS :-)

141. OUR METHODOLOGY BY KEEPING IN MIND
THREAT MODEL
Registeredthe followingemailaddressonsocialnetworks:
user1@bletgen.net
AND
The followingistheattacker'saddress and goalis to compromise
the victim'saccountlabelled withabove email address
jim@mediaob.de
Attacker's addressis noteven registered onsocialnetworks!

142. ACADEMIA ( )HTTP://WWW.ACADEMIA.EDU/

143. OUR EMAIL TO ACADEMIA

144. INITIAL RESPONSE FROM ACADEMIA

145. FINAL RESPONSE OF ACADEMIA SUPPORT
TEAM

146. FREIZEITFREUNDE (A GERMAN-SPECIFIC
SOCIAL NETWORKING SITE)
( )HTTP://WWW.FREIZEITFREUNDE.DE/

147. OUR EMAIL TO THEM ...

148. FREIZEITFREUNDE'S SUPPORT TEAM
RESPONSE

149. LOKALISTEN (A GERMAN SOCIAL
NETWORKING SITE )
( )HTTP://WWW.LOKALISTEN.DE/

150. INITIAL RESPONSE ON OUR TICKET

151. OUR RESPONSE WITHOUT ""DATE OF BIRTH""

152. LOKALISTEN'S SUPPORT TEAM FINAL
RESPONSE

153. MEETUP
( )HTTP://WWW.MEETUP.COM/FIND/

154. SUPPORT TEAM BLOCKS ACCOUNT :)

155. GETGLUE (SOCIAL NETWORKS FOR TV FANS)
HTTP://GETGLUE.COM/FEED

156. OUR EMAIL TO THEIR SUPPORT TEAM

157. GETGLUE'S SUPPORT TEAM RESPONSE
They set thenew password for us i.e.,"temp " :)

158. DELICIOUS ( )HTTPS://DELICIOUS.COM/

159. DELICIOUS'S SUPPORT TEAM RESPONSE
They have switchedthe emailaddress from victims'toan
attacker controlled email address and havesent passwordreset
linkto the attacker'semail address.

160. FACEBOOK AS SSO
Outof50surveyed social networks,wefound
26 use Facebook aslogin-provider (SSO)
24 don'thave this feature

161. IMPLICATIONS OF FACEBOOK CONNECT
(1 MILLION WEBSITES HAVE INTEGRATED
WITH FACEBOOK)*+ ACCOUNT HACK
Controls emailaccounte.g.,Yahoo
Go for shoppinge.g.,Etsy
Create havoc for victim :)
79%ofsocialmedia log insby online retailers are with
Facebook ( )
60 millionusers of FacebookConnectin2009 accordingto
TechCrunchreport( )
http://socialmediatoday.com/node/1656466
http://goo.gl/a6lsCx
*http://goo.gl/x8BKe

162. HAVOC EXAMPLES
http://goo.gl/2FVTz8
http://goo.gl/uuO7Kq

163. GUIDELINES FOR USERS
Do not ignore email or SMS alertfrom Facebook
Do not place TOO MUCHinformation onsocialnetwork
Do not accept friend requestsfrom strangers
Enable log-in notifications

164. GUIDELINES FOR SOCIAL NETWORKS
Train your supportteams.
Facebook should raisethe bar as far ascommunicationwith
theresearchersor bugsubmitters isconcerned.
For Facebook: Please don't send TOOMANYEMAILSbecause
users startbelievingthat thesearespam emails.
Joewrote in his post( ):
In caseofTFA,Facebook failed in "CORRECTLY
IDENTIFYINGandREALIZATION OFAN INFORMATION
FLOWPROBLEM "
http://goo.gl/Wf6QMZ

165. FOR FACEBOOK

166. I HOPE NOW FACEBOOK SECURITY TEAM'S
REACTION

167. THANKS!