trusted friend attack:

Guardian Angels Strike

A talk by Ashar Javed


HITB (14-17 October 2013) Kuala Lumpur, Malaysia

DeepSec (21-22 November 2013), Vienna, Austria 


Survey of "Fallback Authentication Methods" of fifty (50) popular social networking websites

graph is big


  • a researcher in Ruhr-University Bochum, RUB, Germany

  • a student working towards his PhD

  • Listed in almost every Hall of Fame pages


some of You will wish For this feature ...

a short story

a paste@pastebin

who to blame?

After testing 3 to 4 random accounts from the pastebin's paste I found

AN Innocent question ...

Why is Facebook asking on somebody's account?

This is me

This isn't me


What would be your answer, if you are an attacker :-)

legitimate password recovery flow

You have an email address but FORGOT YOUR PASSWORD

Step (1)

Go To

Click "Forgot Your Password?"

Step (2)

Enter Your Email, Phone, Username or Full Name

Provide email address and click on "Search" button!

STEp (3)

Choose your "Password Reset Method" & click "Continue"

Step (4) a

Received password secret code via email

step (4) B

Entry-Point for the SECRET CODE RECEIVED:

Enter code that you have received in email & click "Continue"

Step (5)

Set "New Password"

step (6)

Welcome to Facebook, MSc. Ashar


Informative email from Facebook

what if you lost or forgot both

Email Address



Facebook had a solution named

Trusted Friends (TF)

""TF is based on SOCIAL Authentication""


"Bringing Social to Security" is GOOD 

BUT ...

trusted friends feature

Introduced in October 2011 (

trusted friends

"It's sort of similar to giving a house key to your friends when you go on vacation--pick the friends you most trust in case you need their help"

trusted friends according to readwrite:

""Who Wants To Be A Millionaire" lifeline concept - except it's not a one-time deal."

guardian angels

how trusted friends feature works?

list # 1

list # 2

list # 3

review friends

enter codes & gain access to your account

Screen-shot of fake profile

4 digit code

Another informative email to legitimate user from facebook

600,000+ compromised account logins every day on Facebook, official figures reveal (


@gcluley noted in his post

question you might thinking ...

threat model

Attacker is on victim's friends' list & can create new email address(es) that are required for compromising accounts. Attacker can only leverage "forgot your password" functionality in order to compromise accounts and at the same time we don't consider "compromising of an email accounts of legitimate user(s)"

email address must be new for every target

facebook friend vs real life friend

a short fun study

Created 3 FAKE ACCOUNTS and send Friendship requests to TWENTY (20) friends of mine on Facebook.

After some time, 8 friends have accepted all 3 requests

Data Science of the Facebook World

On average a Facebook user has 342 friends!


summarize everything about facebook & real life friends

trusted friend attack (TFA)

In order to start TFA, we need victim's Facebook username and FYI, it is PUBLIC INFORMATION & part of Facebook URL.


Once target selected

Repeat the "Forgot Your Password" process as mentioned before until STEP (3) i.e.,

"No longer have access to these?"

no longer have access to these?

sometimes opens the following dialog box (old & new version) :)


In order to find the answer of "sometimes", I did an empirical study (discuss later).


How can Facebook bind this new email address or phone number to the legitimate user's address or phone?

How can Facebook differentiate between an account recovery procedure started by a legitimate user and the one started by an attacker?

Is it even possible?

I think NO!

create new email address and enter in the previous dialog box & here you have:


Why is Facebook exposing the one selected PRIVATE SECURITY QUESTION in front of the ATTACKER?

Facebook is providing an option to the attacker that he can select from two routes i.e.,

  1. Answer Security Question
  2. Choose Three Friends of Attacker's Choice

TFA's variations/forms

  1. Involve one attacker i.e., the case where attacker will answer the exposed security question
  2. Involve three friends i.e., the case where attacker chooses three friends of his choice

attacker chooses trusted friends path

Attacker's choices

  • Do selection of friends in a normal manner even without POST-DATA manipulation  (works 100% )
  • Try to send codes to  his controlled accounts that are not on victim's friend list. (Doesn't work)
  • Try to send codes to an attacker's controlled accounts that are on victim's friend list but not in the presented lists of trusted friends. (works 50%)
  • Try to send codes to an attacker's controlled accounts that are on the presented list of trusted friends and use POST-DATA manipulation (defeat Facebook's shorten of list items). (works 100%)
  • Try to send all codes to himself (evil idea).  (Doesn't work)

post-data manipulation


511543064 is my Facebook numeric ID.

how to get the facebook's user iD?

Facebook's user numeric ID is not public information most of the time and it is not part of URL all the time!

answer: graph api explorer by facebook,name

evil idea

URL looks like:[0]=511543064&guardians[1]=511543064&guardians[2]=511543064&cuid=

evil idea doesn't work

Facebook correctly says:

interesting message from facebook

what does it mean?

I think it means  that if an attacker select himself or any particular account 3 to 5 times for different victims then Facebook's block access to particular account!

url manipulation's result! i.e., facebook's email with no friends' names

Chain Trusted Friends Attack (CTFA)

In CTFA, attacker can make a chain of compromised accounts and with the help of chain he may compromised account(s) that are even not in his friends list.

facebook's default & fixed security questions set

facebook's security questions screen-shot!

excerPts from "mind reader" video

how to get the answers of these questions?

according to "me"

Following ways work like charm:

-- In case of social network, answer can be found on public profile.

-- Directly ask the answer via routine Facebook chat ... most of the time you will get the answer.

-- Make a QUIZ related to security question and post to your friends.

-- In case of family members or close friends, you already know the answer.

another bad security practice

Question: What happens if a user realize after answering/setting the question that he has chosen a weak answer?

Remark: In case of compromised accounts, if attacker has proceeded via answering the security question, he can do the same thing some time after because "QnA" remains same.

Inconsistency in security questions' User interface

what is your reaction if you have to give an answer to a security question(s) that is not even a part of Facebook's default security questions' list?

my reaction :-)

security question # 1

security question # 2

how can a legitimate user give an answer to a security question that he has never set?

No Way ... BUT

I know the answer that works sometimes :-) (ajaved) (mjaved)

empirical study

Tested real 250 accounts of my friends on Facebook.

In 181 cases, Facebook doesn't allow us to proceed ... It means no security question exposed + no option of trusted friends

In 69 cases, Facebook allows us to PROVIDE a NEW EMAIL ADDRESS and once provided, we can have either security question exposed or trusted friends feature appears or BOTH

181 cases we got ...

If as an attacker, we click on "I Cannot Access My Email"

181 cases (No email access ... we are sorry)

in 69 cases

Facebook exposed the selected security question of the victim


Option of Trusted friends' selection


Choice among above two options

11 out of 69 accounts compromised

Out of 11 compromised accounts

8 by answering security question


3 using trusted friends feature

ENOUGH FOR POC! # of compromised accounts can be easily raised to 20-25 but requires more work & motivation :-)

some interesting observations

on facebook anybody can send anyone a password reset request if he knows the username which is public information

at the same time denial-of-service (DOS) victim 

What if attacker will enter 20-30 times wrong secret code? Attacker doesn't have access to victim's email box in order to get the valid 6 digit code but he has the above dialog box in front of him ...

here you go:

"Try again later" will be nasty experience for the victim!

We call this "Password Reset DoS"

identify account another way

In this way, attacker can force victim to use email address or phone  and if victim has lost his email address ....

worst thing

my friend's reaction on worst thing

another type of DoS on Facebook

trusted friend feature dos

If an attacker has started the password recovery using TF and at the same time victim tries to use this feature ... he will receive the following message from Facebook

facebook's security measures & how legitimate users react & their bypasses

this is how common users use facebook...

1) Security Alert via Email or Mobile SMS

As soon as attacker starts an account recovery via "password reset" functionality, Facebook immediately sends an email or sms alert to the legitimate user.

users' reaction on this email or sms

users' reaction on this email or sms

2) Temporarily Locked

In order to recognize device, Facebook uses OS, IP Address, Browser & Estimated Location etc.

What happens if attacker clicks on "Continue" button?

What happens if an attacker clicks on "Continue" button?



Click "Continue" after selecting one of the option but remember who is doing selection?








another interesting aspect in case if legitimate user will be able to regain access to his account

remember (5th step) i.e.,

snapshot of attacker's email box

recognizeD devices

3) 24 Hour Locked-out Period

As an attacker this is the biggest hurdle to cross ...

disavow process

Legitimate user can "disavow" the process any time by clicking on the link in the email he received from Facebook or making Facebook activity during this time.


Majority of the users, as shown in users' reaction consider Facebook's informative/warning emails as spam.

for a moment forgot disavow

24 hour locked out period starts like that ...

24 hour locked out period ...

24 hour locked out period ...

24 hour locked out period ...

game over for victim...

here we go...

Another email from facebook and leaked email address of the victim

Ethical Considerations

First Reported to Facebook on 19-08-2012

On 23-08-2012, I got the following answer from Facebook Security Team:

two questions came to my mind after reading the email...

Is there any attack that is not very well targeted?

Where is social engineering in this attack?

on 24-08-2012

but i have waited until the complete empirical study & again sent the technical report/research paper on 27-06-2013

answer from security team on 09-09-2013

sorry facebook :-(

It doesn't makes sense to reproduce this attack on TEST ACCOUNTS...

The results would look like FAKE.

on the other hand ...

Our approach is similar to a recently published academic paper in Second International Workshop on Privacy and Security in Online Social Media
Co-located with WWW 2013 (


All compromised accounts are up, running and under the control of their legitimate users!

yet another observation i.e., masked email address and phone #

whEre is masking? email address exposed

after 5-10 minutes masking affect appears

what about other 49 social networks' password reset functionality?

twitter (

200 million active users (Feb 2013) + Alexa Rank #11

anybody can send anybody a password reset request with the help of twitter's username which is public information :-(

just for fun ...

i reported this to twitter security team & this is what they think about it

but now twitter has ...

Mat Honan's story

support teams

support team's job

To help customers ...

can also be used to compromise accounts :-)

our methodology by keeping in mind threat model

Registered the following email address on social networks:


The following is the attacker's address and goal is to compromise the victim's account labelled with above email address

Attacker's address is not even registered on social networks!

Academia (

our email to academia

initial response from academia

final response of academia support team


FreizeitFreunde (A german-specific social networking site) (

our email to them ...

FreizeitFreunde's support team response

lokalisten (a german social networking site )(

initial response on our ticket

our response without ""date of birth""

lokalisten's support team final response

meetup (

support team blocks account :)

getglue (social networks for tv fans)

our email to their support team

getglue's support team response

They set the new password for us i.e., "temp" :)

Delicious  (

Delicious's support team response

They have switched the email address from victims' to an attacker controlled email address and have sent password reset link to the attacker's email address. 

facebook as sso

Out of 50 surveyed social networks, we found

26 use Facebook as login-provider (SSO)

24 don't have this feature

Implications of Facebook Connect

(1 Million websites have integrated with Facebook)*+ account hack

  • Controls email account e.g., Yahoo
  • Go for shopping e.g., Etsy
  • Create havoc for victim :)
  •  79% of social media log ins by online retailers are with Facebook (
  • 60 million users of Facebook Connect in 2009 according to Tech Crunch report (


havoc examples

Guidelines for users

  • Do not ignore email or SMS alert from Facebook
  • Do not place TOO MUCH information on social network
  • Do not accept friend requests from strangers
  • Enable log-in notifications

Guidelines for social networks

  • Train your support teams.
  •  Facebook should raise the bar as far as communication with the researchers or bug submitters is concerned.
  • For Facebook: Please don't send TOO MANY EMAILS because users start believing that these are spam emails.
  • Joe wrote in his post (

for facebook

I hope now facebook security team's reaction


YET Another observation

reveal my trusted contacts reveals

social media experiment (freak out strangers)


trusted friend attack:

By Ashar Javed

trusted friend attack:

  • 16,831