trusted friend attack: guardian angels strike
TRANSCRIPT
![Page 1: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/1.jpg)
TRUSTED FRIENDATTACK:
GUARDIAN ANGELS STRIKE
A talk by Ashar Javed
@
Hack In The Box, 14 - 17 October 2013
Kuala Lumpur, Malaysia ( HITBSecConf2013)
![Page 2: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/2.jpg)
GRAPH IS BIG
http://theweek.com/article/index/239514/4-things-we-learned-from-facebooks-confounding-earnings-report
![Page 3: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/3.jpg)
WHO AM I?
![Page 4: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/4.jpg)
A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB ,GERMANYA STUDENT WORKING TOWARDS HIS PHD
LISTED IN ALMOST EVERY HALL OF FAME PAGES
@soaj1664ashar
![Page 5: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/5.jpg)
SOME OF YOU WILL WISH FOR THIS FEATURE...
![Page 6: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/6.jpg)
A SHORT STORY
https://twitter.com/dimitribest/status/230677638358900736
![Page 8: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/8.jpg)
WHO TO BLAME?
http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html
![Page 9: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/9.jpg)
AFTER TESTING 3 TO 4 RANDOM ACCOUNTSFROM THE PASTEBIN'S PASTE I FOUND
![Page 10: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/10.jpg)
AN INNOCENT QUESTION ...
Why is Facebook asking on somebody's account?
This is meThis isn't me
&
What would be your answer, if you are an attacker :-)
![Page 11: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/11.jpg)
LEGITIMATE PASSWORD RECOVERY FLOW
You have an email address but FORGOT YOUR PASSWORD
![Page 12: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/12.jpg)
STEP (1)Go To https://www.facebook.com/
Click "Forgot Your Password?"
![Page 13: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/13.jpg)
Provide email address and click on "Search" button!
STEP (2)Enter Your Email, Phone, Username or Full Name
https://www.facebook.com/login/identify?ctx=recover
![Page 14: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/14.jpg)
STEP (3)Choose your "Password Reset Method" & click "Continue"
![Page 15: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/15.jpg)
STEP (4) AReceived password secret code via email
![Page 16: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/16.jpg)
Enter code that you have received in email & click "Continue"
STEP (4) BEntry-Point for the SECRET CODE RECEIVED:
![Page 17: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/17.jpg)
STEP (5)Set "New Password"
![Page 18: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/18.jpg)
STEP (6)Welcome to Facebook, MSc. Ashar
![Page 19: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/19.jpg)
INFORMATIVE EMAIL FROM FACEBOOK
![Page 20: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/20.jpg)
WHAT IF YOU LOST OR FORGOT BOTH
EMAIL ADDRESS +
PASSWORD
![Page 21: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/21.jpg)
FACEBOOK HAD A SOLUTION NAMED
TRUSTED FRIENDS (TF)
![Page 22: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/22.jpg)
""TF IS BASED ON SOCIAL AUTHENTICATION""
&
" Bringing Social to Security " is GOOD
BUT ...
![Page 23: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/23.jpg)
http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf
![Page 24: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/24.jpg)
TRUSTED FRIENDS FEATURE
Introduced in October 2011(
)
https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-month-
updates/10150335022240766
![Page 25: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/25.jpg)
TRUSTED FRIENDS
"It's sort of similar to giving a house key to your friends whenyou go on vacation--pick the friends you most trust in case you
need their help"
https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-
month-updates/10150335022240766
![Page 26: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/26.jpg)
TRUSTED FRIENDS ACCORDING TOREADWRITE:
"" Who Wants To Be A Millionaire " lifeline concept - except it'snot a one-time deal."
http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTqJVUI7Yyvb
![Page 27: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/27.jpg)
GUARDIAN ANGELS
http://sophosnews.files.wordpress.com/2011/10/facebook-security-infographic.pdf
![Page 28: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/28.jpg)
HOW TRUSTED FRIENDS FEATURE WORKS?
![Page 29: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/29.jpg)
LIST # 1
![Page 30: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/30.jpg)
LIST # 2
![Page 31: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/31.jpg)
LIST # 3
![Page 32: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/32.jpg)
REVIEW FRIENDS
![Page 33: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/33.jpg)
ENTER CODES & GAIN ACCESS TO YOURACCOUNT
![Page 34: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/34.jpg)
SCREEN-SHOT OF FAKE PROFILE
![Page 35: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/35.jpg)
4 DIGIT CODE
![Page 36: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/36.jpg)
ANOTHER INFORMATIVE EMAIL TOLEGITIMATE USER FROM FACEBOOK
![Page 37: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/37.jpg)
600,000+ COMPROMISED ACCOUNT LOGINSEVERY DAY ON FACEBOOK, OFFICIAL FIGURES
REVEAL ( )HTTP://GOO.GL/FNP27Qby
https://twitter.com/gcluley
![Page 39: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/39.jpg)
QUESTION YOU MIGHT THINKING ...
![Page 40: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/40.jpg)
THREAT MODEL
Attacker is on victim's friends' list & can create new emailaddress(es) that are required for compromising accounts.
Attacker can only leverage "forgot your password" functionalityin order to compromise accounts and at the same time we don't
consider "compromising of an email accounts of legitimateuser(s)"
![Page 41: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/41.jpg)
EMAIL ADDRESS MUST BE NEW FOR EVERYTARGET
![Page 42: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/42.jpg)
FACEBOOK FRIEND VS REAL LIFE FRIEND
http://blogs.mcafee.com/consumer/fake-friends
![Page 43: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/43.jpg)
A SHORT FUN STUDY
Created 3 FAKE ACCOUNTS and send Friendship requests toTWENTY ( 20 ) friends of mine on Facebook.
After some time, 8 friends have accepted all 3 requests
![Page 44: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/44.jpg)
DATA SCIENCE OF THE FACEBOOK WORLD
On average a Facebook user has 342 friends!
DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSO ORJUST FACEBOOK FRIENDS OR WHAT ... ?
http://blog.stephenwolfram.com/2013/04/data-science-of-the-
facebook-world/
![Page 45: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/45.jpg)
SUMMARIZE EVERYTHING ABOUT FACEBOOK& REAL LIFE FRIENDS
http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/
![Page 46: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/46.jpg)
TRUSTED FRIEND ATTACK (TFA)
In order to start TFA, we need victim's Facebook username andFYI, it is PUBLIC INFORMATION & part of Facebook URL.
e.g.,
https://www.facebook.com/ ashar.javed
![Page 47: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/47.jpg)
" "
ONCE TARGET SELECTED
Repeat the "Forgot Your Password" process as mentionedbefore until STEP (3) i.e.,
No longer have access to these?
![Page 48: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/48.jpg)
NO LONGER HAVE ACCESS TO THESE?
sometimes opens the following dialog box (old & new version) :)
HOW AWESOME THEY ARE? :-)
https://www.facebook.com/recover/extended
In order to find the answer of " sometimes ", I did an empiricalstudy (discuss later).
![Page 49: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/49.jpg)
QUESTIONS...
How can Facebook bind this new email address or phonenumber to the legitimate user's address or phone?
How can Facebook differentiate between an account recoveryprocedure started by a legitimate user and the one started by an
attacker?
Is it even possible?
I think NO!
![Page 50: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/50.jpg)
CREATE NEW EMAIL ADDRESS AND ENTER INTHE PREVIOUS DIALOG BOX & HERE YOU
HAVE:
![Page 51: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/51.jpg)
QUESTION
Why is Facebook exposing the one selected PRIVATESECURITY QUESTION in front of the ATTACKER?
Facebook is providing an option to the attacker that he can selectfrom two routes i.e.,
1. Answer Security Question2. Choose Three Friends of Attacker's Choice
![Page 52: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/52.jpg)
TFA'S VARIATIONS/FORMS
1. Involve one attacker i.e., the case where attacker will answerthe exposed security question
2. Involve three friends i.e., the case where attacker chooses threefriends of his choice
![Page 53: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/53.jpg)
ATTACKER CHOOSES TRUSTED FRIENDS PATH
![Page 54: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/54.jpg)
ATTACKER'S CHOICES
Do selection of friends in a normal manner even withoutPOST-DATA manipulation ( works 100% )Try to send codes to his controlled accounts that are not onvictim's friend list. ( Doesn't work )Try to send codes to an attacker's controlled accounts that areon victim's friend list but not in the presented lists of trustedfriends. ( works 50% )Try to send codes to an attacker's controlled accounts that areon the presented list of trusted friends and use POST-DATAmanipulation (defeat Facebook's shorten of list items). ( works100% )Try to send all codes to himself (evil idea). ( Doesn't work )
![Page 55: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/55.jpg)
POST-DATA MANIPULATION
lsd=AVo8FV8K& profileChooserItems ={"511543064":1}&checkableitems[] =511543064
511543064 is my Facebook numeric ID.
![Page 56: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/56.jpg)
HOW TO GET THE FACEBOOK'S USER ID?
Facebook's user numeric ID is not public information most of thetime and it is not part of URL all the time!
![Page 57: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/57.jpg)
https://developers.facebook.com/tools/explorer/?method=GET& ?fields=id,name
ANSWER: GRAPH API EXPLORER BYFACEBOOK
path=VICTIM-USERNAME
![Page 58: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/58.jpg)
URL looks like:
EVIL IDEA
https://www.facebook.com/guardian/confirm.php?
guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064
&cuid=AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm-
0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW-
ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv-
MpzCcAQT2jxLtEa25YGlg_qg&[email protected]
![Page 59: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/59.jpg)
EVIL IDEA DOESN'T WORK
Facebook correctly says:
![Page 60: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/60.jpg)
INTERESTING MESSAGE FROM FACEBOOK
![Page 61: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/61.jpg)
WHAT DOES IT MEAN?
I think it means that if an attacker select himself or any particularaccount 3 to 5 times for different victims then Facebook's block
access to particular account!
![Page 62: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/62.jpg)
URL MANIPULATION'S RESULT! I.E.,FACEBOOK'S EMAIL WITH NO FRIENDS'
NAMES
![Page 63: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/63.jpg)
![Page 64: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/64.jpg)
CHAIN TRUSTED FRIENDS ATTACK (CTFA)
In CTFA, attacker can make a chain of compromised accountsand with the help of chain he may compromised account(s) that
are even not in his friends list.
![Page 65: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/65.jpg)
FACEBOOK'S DEFAULT & FIXED SECURITYQUESTIONS SET
![Page 66: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/66.jpg)
FACEBOOK'S SECURITY QUESTIONS SCREEN-SHOT!
![Page 67: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/67.jpg)
EXCERTS FROM "MIND READER" VIDEO
https://www.youtube.com/watch?v=F7pYHN9iC9I
![Page 68: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/68.jpg)
HOW TO GET THE ANSWERS OF THESEQUESTIONS?
![Page 69: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/69.jpg)
ACCORDING TO "ME"
Following ways work like charm:
-- In case of social network, answer can be found on public profile.
-- Directly ask the answer via routine Facebook chat ... most of thetime you will get the answer.
-- Make a QUIZ related to security question and post to your friends.
-- In case of family members or close friends, you already know theanswer.
![Page 70: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/70.jpg)
Question:
Remark:
ANOTHER BAD SECURITY PRACTICE
https://www.facebook.com/help/163063243756483
What happens if a user realize afteranswering/setting the question that he has chosen a weak
answer?
In case of compromised accounts, if attacker hasproceeded via answering the security question, he can do the
same thing some time after because "QnA" remains same.
![Page 71: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/71.jpg)
INCONSISTENCY IN SECURITY QUESTIONS'USER INTERFACE
![Page 72: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/72.jpg)
WHAT IS YOUR REACTION IF YOU HAVE TOGIVE AN ANSWER TO A SECURITY
QUESTION(S) THAT IS NOT EVEN A PART OFFACEBOOK'S DEFAULT SECURITY QUESTIONS'
LIST?
![Page 73: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/73.jpg)
MY REACTION :-)
![Page 74: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/74.jpg)
SECURITY QUESTION # 1
![Page 75: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/75.jpg)
SECURITY QUESTION # 2
![Page 76: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/76.jpg)
https://www.facebook.com/
HOW CAN A LEGITIMATE USER GIVE ANANSWER TO A SECURITY QUESTION THAT HE
HAS NEVER SET?
No Way ... BUT
I know the answer that works sometimes :-)
https://www.facebook.com/ ashar.javed (ajaved)
mscashar.javed (mjaved)
![Page 77: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/77.jpg)
EMPIRICAL STUDY
Tested real 250 accounts of my friends on Facebook.
In 181 cases, Facebook doesn't allow us to proceed ... It means nosecurity question exposed + no option of trusted friends
In 69 cases, Facebook allows us to PROVIDE a NEW EMAILADDRESS and once provided, we can have either security
question exposed or trusted friends feature appears or BOTH
![Page 78: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/78.jpg)
If as an attacker, we click on " "
181 CASES WE GOT ...
I Cannot Access My Email
![Page 79: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/79.jpg)
181 CASES (NO EMAIL ACCESS ... WE ARESORRY)
https://www.facebook.com/recover/extended/ineligible
![Page 80: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/80.jpg)
IN 69 CASESFacebook exposed the selected security question of the victim
OR
Option of Trusted friends' selection
OR
Choice among above two options
![Page 81: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/81.jpg)
11 OUT OF 69 ACCOUNTS COMPROMISED
Out of 11 compromised accounts
8 by answering security question
AND
3 using trusted friends feature
ENOUGH FOR POC! # of compromised accounts can be easilyraised to 20-25 but requires more work & motivation :-)
![Page 82: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/82.jpg)
SOME INTERESTING OBSERVATIONS
![Page 83: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/83.jpg)
ON FACEBOOK ANYBODY CAN SEND ANYONE APASSWORD RESET REQUEST IF HE KNOWS
THE USERNAME WHICH IS PUBLICINFORMATION
![Page 84: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/84.jpg)
Attacker doesn't have access to victim's email box in order to getthe valid 6 digit code but he has the above dialog box in front of
him ...
AT THE SAME TIME DENIAL-OF-SERVICE(DOS) VICTIM
What if attacker will enter 20-30 times wrong secret code?
![Page 85: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/85.jpg)
" " will be nasty experience for the victim!
We call this " "
HERE YOU GO:
Try again later
Password Reset DoS
![Page 86: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/86.jpg)
In this way, attacker can force victim to use email address or
phone and if victim has lost his email address ....
IDENTIFY ACCOUNT ANOTHER WAY
![Page 87: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/87.jpg)
WORST THING
![Page 88: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/88.jpg)
MY FRIEND'S REACTION ON WORST THING
![Page 89: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/89.jpg)
ANOTHER TYPE OF DOS ON FACEBOOK
![Page 90: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/90.jpg)
TRUSTED FRIEND FEATURE DOS
If an attacker has started the password recovery using TF and atthe same time victim tries to use this feature ... he will receive the
following message from Facebook
![Page 91: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/91.jpg)
FACEBOOK'S SECURITY MEASURES & HOWLEGITIMATE USERS REACT & THEIR
BYPASSES
![Page 92: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/92.jpg)
THIS IS HOW COMMON USERS USEFACEBOOK...
![Page 93: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/93.jpg)
1) SECURITY ALERT VIA EMAIL OR MOBILESMS
As soon as attacker starts an account recovery via "passwordreset" functionality, Facebook immediately sends an email or sms
alert to the legitimate user.
![Page 94: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/94.jpg)
USERS' REACTION ON THIS EMAIL OR SMS
![Page 95: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/95.jpg)
USERS' REACTION ON THIS EMAIL OR SMS
![Page 96: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/96.jpg)
In order to recognize device, Facebook uses
etc.
What happens if attacker clicks on " " button?
2) TEMPORARILY LOCKED
OS, IP Address,Browser & Estimated Location
Continue
![Page 97: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/97.jpg)
WHAT HAPPENS IF AN ATTACKER CLICKS ON "CONTINUE " BUTTON?
![Page 98: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/98.jpg)
(1)
![Page 99: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/99.jpg)
Click " " after selecting one of the option but rememberwho is doing selection?
(2)
Continue
An ATTACKER
![Page 100: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/100.jpg)
(3)
![Page 101: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/101.jpg)
(4)
![Page 102: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/102.jpg)
(5)
![Page 103: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/103.jpg)
(6)
![Page 104: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/104.jpg)
(7)
![Page 105: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/105.jpg)
(8)
![Page 106: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/106.jpg)
ANOTHER INTERESTING ASPECT IN CASE IFLEGITIMATE USER WILL BE ABLE TO REGAIN
ACCESS TO HIS ACCOUNT
![Page 107: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/107.jpg)
REMEMBER (5TH STEP) I.E.,
![Page 108: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/108.jpg)
SNAPSHOT OF ATTACKER'S EMAIL BOX
![Page 109: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/109.jpg)
RECOGNIZED DEVICES
![Page 110: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/110.jpg)
3) 24 HOUR LOCKED-OUT PERIODAs an attacker this is the biggest hurdle to cross ...
![Page 111: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/111.jpg)
DISAVOW PROCESS
Legitimate user can "disavow" the process any time by clickingon the link in the email he received from Facebook or making
Facebook activity during this time.
BUT
Majority of the users, as shown in users' reaction considerFacebook's informative/warning emails as spam.
![Page 112: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/112.jpg)
FOR A MOMENT FORGOT DISAVOW
![Page 113: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/113.jpg)
24 HOUR LOCKED OUT PERIOD STARTS LIKETHAT ...
![Page 114: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/114.jpg)
24 HOUR LOCKED OUT PERIOD ...
![Page 115: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/115.jpg)
24 HOUR LOCKED OUT PERIOD ...
![Page 116: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/116.jpg)
24 HOUR LOCKED OUT PERIOD ...
![Page 117: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/117.jpg)
GAME OVER FOR VICTIM...
![Page 118: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/118.jpg)
HERE WE GO...
![Page 119: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/119.jpg)
ANOTHER EMAIL FROM FACEBOOK ANDLEAKED EMAIL ADDRESS OF THE VICTIM
![Page 120: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/120.jpg)
ETHICAL CONSIDERATIONS
First Reported to Facebook on 19-08-2012
On 23-08-2012 , I got the following answer from FacebookSecurity Team:
![Page 121: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/121.jpg)
TWO QUESTIONS CAME TO MY MIND AFTERREADING THE EMAIL...
Is there any attack that is not very well targeted?
Where is social engineering in this attack?
![Page 122: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/122.jpg)
ON 24-08-2012
![Page 123: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/123.jpg)
BUT I HAVE WAITED UNTIL THE COMPLETEEMPIRICAL STUDY & AGAIN SENT THE
TECHNICAL REPORT/RESEARCH PAPER ON27-06-2013
![Page 124: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/124.jpg)
ANSWER FROM SECURITY TEAM ON 09-09-2013
![Page 125: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/125.jpg)
SORRY FACEBOOK :-(
It doesn't makes sense to reproduce this attack on TESTACCOUNTS...
The results would look like FAKE.
![Page 126: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/126.jpg)
ON THE OTHER HAND ...
Our approach is similar to a recently published academic paper inSecond International Workshop on Privacy and Security in
Online Social MediaCo-located with WWW 2013
()
http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-parwani.pdf
![Page 127: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/127.jpg)
FINALLY
All compromised accounts are up, running and under the controlof their legitimate users!
![Page 128: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/128.jpg)
YET ANOTHER OBSERVATION I.E., MASKEDEMAIL ADDRESS AND PHONE #
![Page 129: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/129.jpg)
WHERE IS MASKING? EMAIL ADDRESSEXPOSED
![Page 130: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/130.jpg)
AFTER 5-10 MINUTES MASKING AFFECTAPPEARS
![Page 131: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/131.jpg)
WHAT ABOUT OTHER 49 SOCIAL NETWORKS'PASSWORD RESET FUNCTIONALITY?
![Page 132: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/132.jpg)
200 million active users (Feb 2013) + Alexa Rank #11
( )
TWITTER (HTTPS://TWITTER.COM/?LANG=EN)
http://en.wikipedia.org/wiki/Twitter
![Page 133: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/133.jpg)
ANYBODY CAN SEND ANYBODY A PASSWORDRESET REQUEST WITH THE HELP OF
TWITTER'S USERNAME WHICH IS PUBLICINFORMATION :-(
![Page 134: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/134.jpg)
JUST FOR FUN ...
![Page 135: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/135.jpg)
I REPORTED THIS TO TWITTER SECURITYTEAM & THIS IS WHAT THEY THINK ABOUT IT
![Page 136: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/136.jpg)
BUT NOW TWITTER HAS ...
![Page 137: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/137.jpg)
MAT HONAN'S STORY
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
![Page 138: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/138.jpg)
SUPPORT TEAMS
![Page 139: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/139.jpg)
SUPPORT TEAM'S JOB
To help customers ...
![Page 140: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/140.jpg)
CAN ALSO BE USED TO COMPROMISEACCOUNTS :-)
![Page 141: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/141.jpg)
OUR METHODOLOGY BY KEEPING IN MINDTHREAT MODEL
Registered the following email address on social networks:
AND
The following is the attacker's address and goal is to compromisethe victim's account labelled with above email address
Attacker's address is not even registered on social networks!
![Page 143: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/143.jpg)
OUR EMAIL TO ACADEMIA
![Page 144: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/144.jpg)
INITIAL RESPONSE FROM ACADEMIA
![Page 145: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/145.jpg)
FINAL RESPONSE OF ACADEMIA SUPPORTTEAM
![Page 146: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/146.jpg)
FREIZEITFREUNDE (A GERMAN-SPECIFICSOCIAL NETWORKING SITE)
( )HTTP://WWW.FREIZEITFREUNDE.DE/
![Page 147: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/147.jpg)
OUR EMAIL TO THEM ...
![Page 148: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/148.jpg)
FREIZEITFREUNDE'S SUPPORT TEAMRESPONSE
![Page 150: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/150.jpg)
INITIAL RESPONSE ON OUR TICKET
![Page 151: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/151.jpg)
OUR RESPONSE WITHOUT ""DATE OF BIRTH""
![Page 152: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/152.jpg)
LOKALISTEN'S SUPPORT TEAM FINALRESPONSE
![Page 154: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/154.jpg)
SUPPORT TEAM BLOCKS ACCOUNT :)
![Page 156: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/156.jpg)
OUR EMAIL TO THEIR SUPPORT TEAM
![Page 157: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/157.jpg)
GETGLUE'S SUPPORT TEAM RESPONSE
They set the new password for us i.e., " temp " :)
![Page 159: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/159.jpg)
DELICIOUS'S SUPPORT TEAM RESPONSE
They have switched the email address from victims' to anattacker controlled email address and have sent password reset
link to the attacker's email address.
![Page 160: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/160.jpg)
FACEBOOK AS SSO
Out of 50 surveyed social networks, we found
26 use Facebook as login-provider (SSO)
24 don't have this feature
![Page 161: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/161.jpg)
IMPLICATIONS OF FACEBOOK CONNECT (1 MILLION WEBSITES HAVE INTEGRATED
WITH FACEBOOK)*+ ACCOUNT HACK
Controls email account e.g., YahooGo for shopping e.g., EtsyCreate havoc for victim :) 79% of social media log ins by online retailers are withFacebook ( )60 million users of Facebook Connect in 2009 according toTech Crunch report ( )
http://socialmediatoday.com/node/1656466
http://goo.gl/a6lsCx
* http://goo.gl/x8BKe
![Page 163: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/163.jpg)
GUIDELINES FOR USERS
Do not ignore email or SMS alert from FacebookDo not place TOO MUCH information on social networkDo not accept friend requests from strangersEnable log-in notifications
![Page 164: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/164.jpg)
GUIDELINES FOR SOCIAL NETWORKS
Train your support teams. Facebook should raise the bar as far as communication withthe researchers or bug submitters is concerned.For Facebook: Please don't send TOO MANY EMAILS becauseusers start believing that these are spam emails.Joe wrote in his post ( ):
In case of TFA, Facebook failed in " CORRECTLYIDENTIFYING and REALIZATION OF AN INFORMATIONFLOW PROBLEM "
http://goo.gl/Wf6QMZ
![Page 165: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/165.jpg)
FOR FACEBOOK
![Page 166: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/166.jpg)
I HOPE NOW FACEBOOK SECURITY TEAM'SREACTION
![Page 167: Trusted Friend Attack: Guardian Angels Strike](https://reader033.vdocuments.us/reader033/viewer/2022052321/554e6e0db4c9054a698b4910/html5/thumbnails/167.jpg)
THANKS!