4. A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB ,
GERMANY
A STUDENT WORKING TOWARDS HIS PHD
LISTED IN ALMOST EVERY HALL OF FAME PAGES
@soaj1664ashar
12. STEP (1)
Go To https://www.facebook.com/
Click "Forgot YourPassword?"
13. Provideemail address andclick on "Search"button!
STEP (2)
Enter Your Email,Phone,Username or Full Name
https://www.facebook.com/login/identify?ctx=recover
24. TRUSTED FRIENDS FEATURE
Introduced in October 2011
(
)
https://www.facebook.com/notes/facebook-
security/national-cybersecurity-awareness-month-
updates/10150335022240766
25. TRUSTED FRIENDS
"It'ssort ofsimilar to givinga house key to yourfriendswhen
you go onvacation--pick the friends youmost trustincaseyou
need theirhelp"
https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-
month-updates/10150335022240766
26. TRUSTED FRIENDS ACCORDING TO
READWRITE:
"" Who Wants ToBeA Millionaire" lifelineconcept- except it's
not a one-timedeal."
http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTq
42. FACEBOOK FRIEND VS REAL LIFE FRIEND
http://blogs.mcafee.com/consumer/fake-friends
43. A SHORT FUN STUDY
Created3 FAKEACCOUNTS andsend Friendship requeststo
TWENTY ( 20 ) friends of mine on Facebook.
After some time, 8 friendshave acceptedall3 requests
44. DATA SCIENCE OF THE FACEBOOK WORLD
On average aFacebook user has 342 friends!
DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR
JUST FACEBOOK FRIENDS OR WHAT ...?
http://blog.stephenwolfram.com/2013/04/data-science-of-the-
facebook-world/
45. SUMMARIZE EVERYTHING ABOUT FACEBOOK
& REAL LIFE FRIENDS
http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/
46. TRUSTED FRIEND ATTACK (TFA)
Inorder to startTFA, we needvictim's Facebookusername and
FYI, it is PUBLIC INFORMATION & part of FacebookURL.
e.g.,
https://www.facebook.com/ashar.javed
47. " "
ONCE TARGET SELECTED
Repeatthe "Forgot YourPassword" processas mentioned
before until STEP (3) i.e.,
No longer haveaccesstothese?
48. NO LONGER HAVE ACCESS TO THESE?
sometimes opensthefollowingdialog box(old &new version) :)
HOWAWESOMETHEY ARE?:-)
https://www.facebook.com/recover/extended
Inorder to findtheanswer of" sometimes ",I didan empirical
study (discusslater).
49. QUESTIONS...
How canFacebook bindthis new emailaddress or phone
number tothe legitimate user's address or phone?
How can Facebookdifferentiatebetweenanaccountrecovery
procedurestarted bya legitimateuser and the one startedby an
attacker?
Is it evenpossible?
Ithink NO!
50. CREATE NEW EMAIL ADDRESS AND ENTER IN
THE PREVIOUS DIALOG BOX & HERE YOU
HAVE:
51. QUESTION
WhyisFacebook exposingtheoneselected PRIVATE
SECURITY QUESTION in front ofthe ATTACKER?
Facebook is providinganoptiontotheattacker thathe canselect
from two routes i.e.,
1. Answer SecurityQuestion
2. Choose Three Friends of Attacker's Choice
52. TFA'S VARIATIONS/FORMS
1. Involveoneattacker i.e., the casewhere attacker will answer
theexposedsecurity question
2. Involvethree friendsi.e., the casewhere attacker chooses three
friendsofhischoice
54. ATTACKER'S CHOICES
Do selection offriends in anormalmanner evenwithout
POST-DATA manipulation ( works 100%)
Tryto sendcodes to hiscontrolledaccounts thatarenot on
victim's friendlist.( Doesn't work)
Tryto sendcodes to an attacker's controlled accountsthat are
on victim'sfriendlist but not in the presented listsoftrusted
friends. (works 50% )
Tryto sendcodes to an attacker's controlled accountsthat are
on the presented listof trustedfriendsand use POST-DATA
manipulation (defeat Facebook's shortenof listitems). ( works
100% )
Tryto sendallcodesto himself(evil idea). ( Doesn't work)
61. WHAT DOES IT MEAN?
Ithink it means thatif an attacker selecthimself or any particular
account3 to 5times for different victimsthenFacebook's block
access to particular account!
64. CHAIN TRUSTED FRIENDS ATTACK (CTFA)
InCTFA, attacker can make a chainof compromisedaccounts
and with thehelpofchain he may compromisedaccount(s)that
are evennotinhisfriends list.
69. ACCORDING TO "ME"
Followingways worklike charm:
-- Incase ofsocial network, answer can be foundonpublic profile.
-- Directly ask the answer viaroutine Facebook chat...most of the
time you will getthe answer.
-- Make aQUIZ related to securityquestion and postto yourfriends.
-- In case of family membersorclose friends,youalready know the
answer.
70. Question:
Remark:
ANOTHER BAD SECURITY PRACTICE
https://www.facebook.com/help/163063243756483
Whathappens ifa userrealize after
answering/settingthequestion thathehaschosena weak
answer?
In caseof compromisedaccounts,if attacker has
proceeded via answering the securityquestion,hecandothe
samething sometime after because "QnA"remains same.
72. WHAT IS YOUR REACTION IF YOU HAVE TO
GIVE AN ANSWER TO A SECURITY
QUESTION(S) THAT IS NOT EVEN A PART OF
FACEBOOK'S DEFAULT SECURITY QUESTIONS'
LIST?
76. https://www.facebook.com/
HOW CAN A LEGITIMATE USER GIVE AN
ANSWER TO A SECURITY QUESTION THAT HE
HAS NEVER SET?
No Way ...BUT
I know theanswer that workssometimes :-)
https://www.facebook.com/ashar.javed(ajaved)
mscashar.javed (mjaved)
77. EMPIRICAL STUDY
Testedreal250 accountsofmy friendsonFacebook.
In 181 cases, Facebookdoesn'tallow us to proceed ...It means no
securityquestion exposed + nooptionoftrustedfriends
In69cases,Facebook allows ustoPROVIDEa NEWEMAIL
ADDRESSandonce provided, wecanhave either security
questionexposedor trusted friends featureappearsor BOTH
79. 181 CASES (NO EMAIL ACCESS ... WE ARE
SORRY)
https://www.facebook.com/recover/extended/ineligible
80. IN 69 CASES
Facebookexposed the selectedsecurity questionofthevictim
OR
OptionofTrusted friends' selection
OR
Choiceamong above two options
81. 11 OUT OF 69 ACCOUNTS COMPROMISED
Out of 11 compromised accounts
8 byansweringsecurity question
AND
3 usingtrusted friends feature
ENOUGHFORPOC! #ofcompromised accountscanbe easily
raisedto20-25 but requiresmore work& motivation :-)
83. ON FACEBOOK ANYBODY CAN SEND ANYONE A
PASSWORD RESET REQUEST IF HE KNOWS
THE USERNAME WHICH IS PUBLIC
INFORMATION
84. Attacker doesn't haveaccesstovictim's emailbox inorder to get
thevalid 6 digitcode but he has the above dialog box in frontof
him ...
AT THE SAME TIME DENIAL-OF-SERVICE
(DOS) VICTIM
What ifattacker will enter 20-30 times wrongsecretcode?
90. TRUSTED FRIEND FEATURE DOS
If an attacker hasstarted the passwordrecovery usingTFandat
thesame timevictim tries to use thisfeature...hewill receive the
followingmessage from Facebook
93. 1) SECURITY ALERT VIA EMAIL OR MOBILE
SMS
As soonasattacker starts an account recoveryvia"password
reset" functionality,Facebook immediatelysends an emailor sms
alert tothe legitimate user.
110. 3) 24 HOUR LOCKED-OUT PERIOD
As an attacker this isthe biggest hurdle to cross...
111. DISAVOW PROCESS
Legitimate user can"disavow"theprocess any timeby clicking
on the linkintheemailhe receivedfrom Facebookor making
Facebook activityduringthis time.
BUT
Majorityoftheusers,as shown in users' reaction consider
Facebook'sinformative/warning emails as spam.
125. SORRY FACEBOOK :-(
It doesn't makes sensetoreproduce thisattackonTEST
ACCOUNTS...
The results wouldlook likeFAKE.
126. ON THE OTHER HAND ...
Our approach issimilar toa recently publishedacademic paper in
Second International Workshopon PrivacyandSecurity in
Online Social Media
Co-located withWWW2013
(
)
http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-
parwani.pdf
141. OUR METHODOLOGY BY KEEPING IN MIND
THREAT MODEL
Registeredthe followingemailaddressonsocialnetworks:
user1@bletgen.net
AND
The followingistheattacker'saddress and goalis to compromise
the victim'saccountlabelled withabove email address
jim@mediaob.de
Attacker's addressis noteven registered onsocialnetworks!
159. DELICIOUS'S SUPPORT TEAM RESPONSE
They have switchedthe emailaddress from victims'toan
attacker controlled email address and havesent passwordreset
linkto the attacker'semail address.
161. IMPLICATIONS OF FACEBOOK CONNECT
(1 MILLION WEBSITES HAVE INTEGRATED
WITH FACEBOOK)*+ ACCOUNT HACK
Controls emailaccounte.g.,Yahoo
Go for shoppinge.g.,Etsy
Create havoc for victim :)
79%ofsocialmedia log insby online retailers are with
Facebook ( )
60 millionusers of FacebookConnectin2009 accordingto
TechCrunchreport( )
http://socialmediatoday.com/node/1656466
http://goo.gl/a6lsCx
*http://goo.gl/x8BKe
163. GUIDELINES FOR USERS
Do not ignore email or SMS alertfrom Facebook
Do not place TOO MUCHinformation onsocialnetwork
Do not accept friend requestsfrom strangers
Enable log-in notifications
164. GUIDELINES FOR SOCIAL NETWORKS
Train your supportteams.
Facebook should raisethe bar as far ascommunicationwith
theresearchersor bugsubmitters isconcerned.
For Facebook: Please don't send TOOMANYEMAILSbecause
users startbelievingthat thesearespam emails.
Joewrote in his post( ):
In caseofTFA,Facebook failed in "CORRECTLY
IDENTIFYINGandREALIZATION OFAN INFORMATION
FLOWPROBLEM "
http://goo.gl/Wf6QMZ