trusted friend attack:
Guardian Angels Strike
A talk by Ashar Javed
@
HITB (14-17 October 2013) Kuala Lumpur, Malaysia
DeepSec (21-22 November 2013), Vienna, Austria
What
Survey of "Fallback Authentication Methods" of fifty (50) popular social networking websites
a researcher in Ruhr-University Bochum, RUB, Germany
a student working towards his PhD
Listed in almost every Hall of Fame pages
@soaj1664ashar
some of You will wish For this feature ...
After testing 3 to 4 random accounts from the pastebin's paste I found
AN Innocent question ...
Why is Facebook asking on somebody's account?
This is me
This isn't me
&
What would be your answer, if you are an attacker :-)
legitimate password recovery flow
You have an email address but FORGOT YOUR PASSWORD
STEp (3)
Choose your "Password Reset Method" & click "Continue"
Step (4) a
Received password secret code via email
step (4) B
Entry-Point for the SECRET CODE RECEIVED:
Enter code that you have received in email & click "Continue"
Step (5)
Set "New Password"
step (6)
Welcome to Facebook, MSc. Ashar
Informative email from Facebook
what if you lost or forgot both
Email Address
+
password
Facebook had a solution named
Trusted Friends (TF)
""TF is based on SOCIAL Authentication""
&
"Bringing Social to Security" is GOOD
BUT ...
how trusted friends feature works?
list # 1
list # 2
list # 3
review friends
enter codes & gain access to your account
Screen-shot of fake profile
4 digit code
Another informative email to legitimate user from facebook
@gcluley noted in his post
question you might thinking ...
threat model
Attacker is on victim's friends' list & can create new email address(es) that are required for compromising accounts. Attacker can only leverage "forgot your password" functionality in order to compromise accounts and at the same time we don't consider "compromising of an email accounts of legitimate user(s)"
email address must be new for every target
a short fun study
Created 3 FAKE ACCOUNTS and send Friendship requests to TWENTY (20) friends of mine on Facebook.
After some time, 8 friends have accepted all 3 requests
trusted friend attack (TFA)
In order to start TFA, we need victim's Facebook username and FYI, it is PUBLIC INFORMATION & part of Facebook URL.
e.g.,
https://www.facebook.com/ashar.javed
Once target selected
Repeat the "Forgot Your Password" process as mentioned before until STEP (3) i.e.,
"No longer have access to these?"
no longer have access to these?
sometimes opens the following dialog box (old & new version) :)
HOW AWESOME THEY ARE? :-)
https://www.facebook.com/recover/extended
In order to find the answer of "sometimes", I did an empirical study (discuss later).
questions...
How can Facebook bind this new email address or phone number to the legitimate user's address or phone?
How can Facebook differentiate between an account recovery procedure started by a legitimate user and the one started by an attacker?
Is it even possible?
I think NO!
create new email address and enter in the previous dialog box & here you have:
Question
Why is Facebook exposing the one selected PRIVATE SECURITY QUESTION in front of the ATTACKER?
Facebook is providing an option to the attacker that he can select from two routes i.e.,
- Answer Security Question
-
Choose Three Friends of Attacker's Choice
TFA's variations/forms
-
Involve one attacker i.e., the case where attacker will answer the exposed security question
-
Involve three friends i.e., the case where attacker chooses three friends of his choice
attacker chooses trusted friends path
Attacker's choices
- Do selection of friends in a normal manner even without POST-DATA manipulation (works 100% )
- Try to send codes to his controlled accounts that are not on victim's friend list. (Doesn't work)
- Try to send codes to an attacker's controlled accounts that are on victim's friend list but not in the presented lists of trusted friends. (works 50%)
- Try to send codes to an attacker's controlled accounts that are on the presented list of trusted friends and use POST-DATA manipulation (defeat Facebook's shorten of list items). (works 100%)
- Try to send all codes to himself (evil idea). (Doesn't work)
post-data manipulation
lsd=AVo8FV8K&profileChooserItems={"511543064":1}&checkableitems[]=511543064
511543064 is my Facebook numeric ID.
how to get the facebook's user iD?
Facebook's user numeric ID is not public information most of the time and it is not part of URL all the time!
answer: graph api explorer by facebook
https://developers.facebook.com/tools/explorer/?method=GET&path=VICTIM-USERNAME?fields=id,name
evil idea
URL looks like:
https://www.facebook.com/guardian/confirm.php?guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064&cuid=
AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm-0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW-ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv-MpzCcAQT2jxLtEa25YGlg_qg&cp=testpurposexss@gmail.com
evil idea doesn't work
Facebook correctly says:
interesting message from facebook
what does it mean?
I think it means that if an attacker select himself or any particular account 3 to 5 times for different victims then Facebook's block access to particular account!
url manipulation's result! i.e., facebook's email with no friends' names
Chain Trusted Friends Attack (CTFA)
In CTFA, attacker can make a chain of compromised accounts and with the help of chain he may compromised account(s) that are even not in his friends list.
facebook's default & fixed security questions set
facebook's security questions screen-shot!
how to get the answers of these questions?
according to "me"
Following ways work like charm:
-- In case of social network, answer can be found on public profile.
-- Directly ask the answer via routine Facebook chat ... most of the time you will get the answer.
-- Make a QUIZ related to security question and post to your friends.
-- In case of family members or close friends, you already know the answer.
another bad security practice
https://www.facebook.com/help/163063243756483
Question: What happens if a user realize after answering/setting the question that he has chosen a weak answer?
Remark: In case of compromised accounts, if attacker has proceeded via answering the security question, he can do the same thing some time after because "QnA" remains same.
Inconsistency in security questions' User interface
what is your reaction if you have to give an answer to a security question(s) that is not even a part of Facebook's default security questions' list?
my reaction :-)
security question # 1
security question # 2
how can a legitimate user give an answer to a security question that he has never set?
No Way ... BUT
I know the answer that works sometimes :-)
https://www.facebook.com/ashar.javed (ajaved)
https://www.facebook.com/mscashar.javed (mjaved)
empirical study
Tested real 250 accounts of my friends on Facebook.
In 181 cases, Facebook doesn't allow us to proceed ... It means no security question exposed + no option of trusted friends
In 69 cases, Facebook allows us to PROVIDE a NEW EMAIL ADDRESS and once provided, we can have either security question exposed or trusted friends feature appears or BOTH
181 cases we got ...
If as an attacker, we click on "I Cannot Access My Email"
in 69 cases
Facebook exposed the selected security question of the victim
OR
Option of Trusted friends' selection
OR
Choice among above two options
11 out of 69 accounts compromised
Out of 11 compromised accounts
8 by answering security question
AND
3 using trusted friends feature
ENOUGH FOR POC! # of compromised accounts can be easily raised to 20-25 but requires more work & motivation :-)
some interesting observations
on facebook anybody can send anyone a password reset request if he knows the username which is public information
at the same time denial-of-service (DOS) victim
What if attacker will enter 20-30 times wrong secret code? Attacker doesn't have access to victim's email box in order to get the valid 6 digit code but he has the above dialog box in front of him ...
here you go:
"Try again later" will be nasty experience for the victim!
We call this "Password Reset DoS"
identify account another way
In this way, attacker can force victim to use email address or phone and if victim has lost his email address ....
worst thing
my friend's reaction on worst thing
another type of DoS on Facebook
trusted friend feature dos
If an attacker has started the password recovery using TF and at the same time victim tries to use this feature ... he will receive the following message from Facebook
facebook's security measures & how legitimate users react & their bypasses
this is how common users use facebook...
1) Security Alert via Email or Mobile SMS
As soon as attacker starts an account recovery via "password reset" functionality, Facebook immediately sends an email or sms alert to the legitimate user.
users' reaction on this email or sms
users' reaction on this email or sms
2) Temporarily Locked
In order to recognize device, Facebook uses OS, IP Address, Browser & Estimated Location etc.
What happens if attacker clicks on "Continue" button?
What happens if an attacker clicks on "Continue" button?
(1)
(2)
Click "Continue" after selecting one of the option but remember who is doing selection?
An ATTACKER
(3)
(4)
(5)
(6)
(7)
(8)
another interesting aspect in case if legitimate user will be able to regain access to his account
remember (5th step) i.e.,
snapshot of attacker's email box
recognizeD devices
3) 24 Hour Locked-out Period
As an attacker this is the biggest hurdle to cross ...
disavow process
Legitimate user can "disavow" the process any time by clicking on the link in the email he received from Facebook or making Facebook activity during this time.
BUT
Majority of the users, as shown in users' reaction consider Facebook's informative/warning emails as spam.
for a moment forgot disavow
24 hour locked out period starts like that ...
24 hour locked out period ...
24 hour locked out period ...
24 hour locked out period ...
game over for victim...
here we go...
Another email from facebook and leaked email address of the victim
Ethical Considerations
First Reported to Facebook on 19-08-2012
On 23-08-2012, I got the following answer from Facebook Security Team:
two questions came to my mind after reading the email...
Is there any attack that is not very well targeted?
Where is social engineering in this attack?
on 24-08-2012
but i have waited until the complete empirical study & again sent the technical report/research paper on 27-06-2013
answer from security team on 09-09-2013
sorry facebook :-(
It doesn't makes sense to reproduce this attack on TEST ACCOUNTS...
The results would look like FAKE.
finally
All compromised accounts are up, running and under the control of their legitimate users!
yet another observation i.e., masked email address and phone #
whEre is masking? email address exposed
after 5-10 minutes masking affect appears
what about other 49 social networks' password reset functionality?
anybody can send anybody a password reset request with the help of twitter's username which is public information :-(
just for fun ...
i reported this to twitter security team & this is what they think about it
but now twitter has ...
support teams
support team's job
To help customers ...
can also be used to compromise accounts :-)
our methodology by keeping in mind threat model
Registered the following email address on social networks:
user1@bletgen.net
AND
The following is the attacker's address and goal is to compromise the victim's account labelled with above email address
jim@mediaob.de
Attacker's address is not even registered on social networks!
our email to academia
initial response from academia
final response of academia support team
our email to them ...
FreizeitFreunde's support team response
initial response on our ticket
our response without ""date of birth""
lokalisten's support team final response
support team blocks account :)
our email to their support team
getglue's support team response
They set the new password for us i.e., "temp" :)
Delicious's support team response
They have switched the email address from victims' to an attacker controlled email address and have sent password reset link to the attacker's email address.
facebook as sso
Out of 50 surveyed social networks, we found
26 use Facebook as login-provider (SSO)
24 don't have this feature
Implications of Facebook Connect
(1 Million websites have integrated with Facebook)*+ account hack
* http://goo.gl/x8BKe
Guidelines for users
- Do not ignore email or SMS alert from Facebook
- Do not place TOO MUCH information on social network
- Do not accept friend requests from strangers
- Enable log-in notifications
Guidelines for social networks
- Train your support teams.
- Facebook should raise the bar as far as communication with the researchers or bug submitters is concerned.
- For Facebook: Please don't send TOO MANY EMAILS because users start believing that these are spam emails.
- Joe wrote in his post (http://goo.gl/Wf6QMZ):
- In case of TFA, Facebook failed in "CORRECTLY IDENTIFYING and REALIZATION OF AN INFORMATION FLOW PROBLEM"
for facebook
I hope now facebook security team's reaction
reveal my trusted contacts reveals
social media experiment (freak out strangers)
thanks!