trusted friend attack:

Guardian Angels Strike


A talk by Ashar Javed

@

HITB (14-17 October 2013) Kuala Lumpur, Malaysia

DeepSec (21-22 November 2013), Vienna, Austria 



What


Survey of "Fallback Authentication Methods" of fifty (50) popular social networking websites

graph is big


http://theweek.com/article/index/239514/4-things-we-learned-from-facebooks-confounding-earnings-report

WHO AM I?


  • a researcher in Ruhr-University Bochum, RUB, Germany

  • a student working towards his PhD

  • Listed in almost every Hall of Fame pages


@soaj1664ashar

some of You will wish For this feature ...


a short story


https://twitter.com/dimitribest/status/230677638358900736

a paste@pastebin


http://pastebin.com/ajaYnLYc

who to blame?


http://cher-homespun.blogspot.de/2011/07/curiosity-killed-cat-but-satisfaction.html

After testing 3 to 4 random accounts from the pastebin's paste I found



AN Innocent question ...


Why is Facebook asking on somebody's account?


This is me

This isn't me


&

What would be your answer, if you are an attacker :-)

legitimate password recovery flow




You have an email address but FORGOT YOUR PASSWORD

Step (1)

Go To https://www.facebook.com/

Click "Forgot Your Password?"


Step (2)

Enter Your Email, Phone, Username or Full Name


Provide email address and click on "Search" button!

https://www.facebook.com/login/identify?ctx=recover

STEp (3)

Choose your "Password Reset Method" & click "Continue"

Step (4) a

Received password secret code via email



step (4) B

Entry-Point for the SECRET CODE RECEIVED:



Enter code that you have received in email & click "Continue"

Step (5)

Set "New Password"

step (6)

Welcome to Facebook, MSc. Ashar

 

Informative email from Facebook

what if you lost or forgot both



Email Address

+

password


Facebook had a solution named



Trusted Friends (TF)



""TF is based on SOCIAL Authentication""


&



"Bringing Social to Security" is GOOD 


BUT ...






http://www.cl.cam.ac.uk/~rja14/Papers/socialauthentication.pdf

trusted friends feature


Introduced in October 2011 (https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-month-updates/10150335022240766)

trusted friends


"It's sort of similar to giving a house key to your friends when you go on vacation--pick the friends you most trust in case you need their help"





https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-month-updates/10150335022240766

trusted friends according to readwrite:


""Who Wants To Be A Millionaire" lifeline concept - except it's not a one-time deal."





http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTqJVUI7Yyvb

guardian angels



http://sophosnews.files.wordpress.com/2011/10/facebook-security-infographic.pdf

how trusted friends feature works?


list # 1


list # 2


list # 3


review friends


enter codes & gain access to your account


Screen-shot of fake profile

4 digit code

Another informative email to legitimate user from facebook


600,000+ compromised account logins every day on Facebook, official figures reveal (http://goo.gl/fNP27Q)

by

https://twitter.com/gcluley

@gcluley noted in his post

http://goo.gl/fNP27Q


question you might thinking ...


threat model


Attacker is on victim's friends' list & can create new email address(es) that are required for compromising accounts. Attacker can only leverage "forgot your password" functionality in order to compromise accounts and at the same time we don't consider "compromising of an email accounts of legitimate user(s)"

email address must be new for every target



facebook friend vs real life friend

http://blogs.mcafee.com/consumer/fake-friends

a short fun study


Created 3 FAKE ACCOUNTS and send Friendship requests to TWENTY (20) friends of mine on Facebook.


After some time, 8 friends have accepted all 3 requests

Data Science of the Facebook World


On average a Facebook user has 342 friends!


DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSO OR JUST FACEBOOK FRIENDS OR WHAT ... ?


http://blog.stephenwolfram.com/2013/04/data-science-of-the-facebook-world/



summarize everything about facebook & real life friends

http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/

trusted friend attack (TFA)


In order to start TFA, we need victim's Facebook username and FYI, it is PUBLIC INFORMATION & part of Facebook URL.


e.g.,


https://www.facebook.com/ashar.javed



Once target selected


Repeat the "Forgot Your Password" process as mentioned before until STEP (3) i.e.,


"No longer have access to these?"

no longer have access to these?


sometimes opens the following dialog box (old & new version) :)

HOW AWESOME THEY ARE? :-)

https://www.facebook.com/recover/extended

In order to find the answer of "sometimes", I did an empirical study (discuss later).







questions...


How can Facebook bind this new email address or phone number to the legitimate user's address or phone?


How can Facebook differentiate between an account recovery procedure started by a legitimate user and the one started by an attacker?


Is it even possible?


I think NO!

create new email address and enter in the previous dialog box & here you have:


Question


Why is Facebook exposing the one selected PRIVATE SECURITY QUESTION in front of the ATTACKER?


Facebook is providing an option to the attacker that he can select from two routes i.e.,


  1. Answer Security Question
  2. Choose Three Friends of Attacker's Choice

TFA's variations/forms




  1. Involve one attacker i.e., the case where attacker will answer the exposed security question
  2. Involve three friends i.e., the case where attacker chooses three friends of his choice

attacker chooses trusted friends path

Attacker's choices


  • Do selection of friends in a normal manner even without POST-DATA manipulation  (works 100% )
  • Try to send codes to  his controlled accounts that are not on victim's friend list. (Doesn't work)
  • Try to send codes to an attacker's controlled accounts that are on victim's friend list but not in the presented lists of trusted friends. (works 50%)
  • Try to send codes to an attacker's controlled accounts that are on the presented list of trusted friends and use POST-DATA manipulation (defeat Facebook's shorten of list items). (works 100%)
  • Try to send all codes to himself (evil idea).  (Doesn't work)

post-data manipulation


lsd=AVo8FV8K&profileChooserItems={"511543064":1}&checkableitems[]=511543064

511543064 is my Facebook numeric ID.


how to get the facebook's user iD?


Facebook's user numeric ID is not public information most of the time and it is not part of URL all the time!

answer: graph api explorer by facebook

https://developers.facebook.com/tools/explorer/?method=GET&path=VICTIM-USERNAME?fields=id,name

evil idea

URL looks like:
https://www.facebook.com/guardian/confirm.php?guardians[0]=511543064&guardians[1]=511543064&guardians[2]=511543064&cuid=
AYhhCnxPb9g8xVAUGmuPh4e33s2NcCRj8Qng7wKGN7fxe9hXTQtVUKr0Rm-0LBeTOCX_Es83lN0_BGe8Yi2GG7iGRbZwIL5rNXktD1mSsnW-ZFD2fZB1Z7lLuyYdQ4GWPbf9bzhik9zXBpNeOsvUv-MpzCcAQT2jxLtEa25YGlg_qg&cp=testpurposexss@gmail.com

evil idea doesn't work


Facebook correctly says:





interesting message from facebook



what does it mean?


I think it means  that if an attacker select himself or any particular account 3 to 5 times for different victims then Facebook's block access to particular account!

url manipulation's result! i.e., facebook's email with no friends' names




Chain Trusted Friends Attack (CTFA)


In CTFA, attacker can make a chain of compromised accounts and with the help of chain he may compromised account(s) that are even not in his friends list.


facebook's default & fixed security questions set

facebook's security questions screen-shot!




excerPts from "mind reader" video



https://www.youtube.com/watch?v=F7pYHN9iC9I

how to get the answers of these questions?


according to "me"


Following ways work like charm:


-- In case of social network, answer can be found on public profile.

-- Directly ask the answer via routine Facebook chat ... most of the time you will get the answer.

-- Make a QUIZ related to security question and post to your friends.

-- In case of family members or close friends, you already know the answer.

another bad security practice


https://www.facebook.com/help/163063243756483

Question: What happens if a user realize after answering/setting the question that he has chosen a weak answer?

Remark: In case of compromised accounts, if attacker has proceeded via answering the security question, he can do the same thing some time after because "QnA" remains same.

Inconsistency in security questions' User interface



what is your reaction if you have to give an answer to a security question(s) that is not even a part of Facebook's default security questions' list?



my reaction :-)

security question # 1




security question # 2

how can a legitimate user give an answer to a security question that he has never set?


No Way ... BUT


I know the answer that works sometimes :-)


https://www.facebook.com/ashar.javed (ajaved)

https://www.facebook.com/mscashar.javed (mjaved)

empirical study


Tested real 250 accounts of my friends on Facebook.


In 181 cases, Facebook doesn't allow us to proceed ... It means no security question exposed + no option of trusted friends


In 69 cases, Facebook allows us to PROVIDE a NEW EMAIL ADDRESS and once provided, we can have either security question exposed or trusted friends feature appears or BOTH

181 cases we got ...


If as an attacker, we click on "I Cannot Access My Email"

181 cases (No email access ... we are sorry)



https://www.facebook.com/recover/extended/ineligible

in 69 cases

Facebook exposed the selected security question of the victim

OR

Option of Trusted friends' selection

OR

Choice among above two options

11 out of 69 accounts compromised


Out of 11 compromised accounts


8 by answering security question

AND

3 using trusted friends feature


ENOUGH FOR POC! # of compromised accounts can be easily raised to 20-25 but requires more work & motivation :-)

some interesting observations

on facebook anybody can send anyone a password reset request if he knows the username which is public information

at the same time denial-of-service (DOS) victim 


What if attacker will enter 20-30 times wrong secret code? Attacker doesn't have access to victim's email box in order to get the valid 6 digit code but he has the above dialog box in front of him ...

here you go:


"Try again later" will be nasty experience for the victim!

We call this "Password Reset DoS"

identify account another way



In this way, attacker can force victim to use email address or phone  and if victim has lost his email address ....

worst thing



my friend's reaction on worst thing


another type of DoS on Facebook

trusted friend feature dos


If an attacker has started the password recovery using TF and at the same time victim tries to use this feature ... he will receive the following message from Facebook



facebook's security measures & how legitimate users react & their bypasses

this is how common users use facebook...

1) Security Alert via Email or Mobile SMS


As soon as attacker starts an account recovery via "password reset" functionality, Facebook immediately sends an email or sms alert to the legitimate user.

users' reaction on this email or sms




users' reaction on this email or sms



2) Temporarily Locked



In order to recognize device, Facebook uses OS, IP Address, Browser & Estimated Location etc.

What happens if attacker clicks on "Continue" button?

What happens if an attacker clicks on "Continue" button?



(1)





(2)



Click "Continue" after selecting one of the option but remember who is doing selection?

An ATTACKER

(3)




(4)


(5)



(6)

(7)

(8)

another interesting aspect in case if legitimate user will be able to regain access to his account

remember (5th step) i.e.,


snapshot of attacker's email box

recognizeD devices

3) 24 Hour Locked-out Period

As an attacker this is the biggest hurdle to cross ...


disavow process


Legitimate user can "disavow" the process any time by clicking on the link in the email he received from Facebook or making Facebook activity during this time.


BUT


Majority of the users, as shown in users' reaction consider Facebook's informative/warning emails as spam.

for a moment forgot disavow


24 hour locked out period starts like that ...

24 hour locked out period ...


24 hour locked out period ...


24 hour locked out period ...


game over for victim...


here we go...

Another email from facebook and leaked email address of the victim

Ethical Considerations


First Reported to Facebook on 19-08-2012

On 23-08-2012, I got the following answer from Facebook Security Team:

two questions came to my mind after reading the email...


Is there any attack that is not very well targeted?


Where is social engineering in this attack?

on 24-08-2012


but i have waited until the complete empirical study & again sent the technical report/research paper on 27-06-2013

answer from security team on 09-09-2013



sorry facebook :-(


It doesn't makes sense to reproduce this attack on TEST ACCOUNTS...


The results would look like FAKE.

on the other hand ...


Our approach is similar to a recently published academic paper in Second International Workshop on Privacy and Security in Online Social Media
Co-located with WWW 2013 (http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-parwani.pdf)

finally


All compromised accounts are up, running and under the control of their legitimate users!

yet another observation i.e., masked email address and phone #



whEre is masking? email address exposed

after 5-10 minutes masking affect appears

what about other 49 social networks' password reset functionality?

twitter (https://twitter.com/?lang=en)


200 million active users (Feb 2013) + Alexa Rank #11
(http://en.wikipedia.org/wiki/Twitter)

anybody can send anybody a password reset request with the help of twitter's username which is public information :-(

just for fun ...


i reported this to twitter security team & this is what they think about it

but now twitter has ...

Mat Honan's story


http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

support teams

support team's job


To help customers ...


can also be used to compromise accounts :-)

our methodology by keeping in mind threat model


Registered the following email address on social networks:

user1@bletgen.net

AND

The following is the attacker's address and goal is to compromise the victim's account labelled with above email address

jim@mediaob.de

Attacker's address is not even registered on social networks!

Academia (http://www.academia.edu/)


our email to academia

initial response from academia

final response of academia support team


 

FreizeitFreunde (A german-specific social networking site) (http://www.freizeitfreunde.de/)

our email to them ...

FreizeitFreunde's support team response


lokalisten (a german social networking site )(http://www.lokalisten.de/)

initial response on our ticket

our response without ""date of birth""

lokalisten's support team final response


meetup (http://www.meetup.com/find/)

support team blocks account :)

getglue (social networks for tv fans) http://getglue.com/feed


our email to their support team


getglue's support team response


They set the new password for us i.e., "temp" :)

Delicious  (https://delicious.com/)

Delicious's support team response


They have switched the email address from victims' to an attacker controlled email address and have sent password reset link to the attacker's email address. 

facebook as sso


Out of 50 surveyed social networks, we found


26 use Facebook as login-provider (SSO)

24 don't have this feature

Implications of Facebook Connect

(1 Million websites have integrated with Facebook)*+ account hack


  • Controls email account e.g., Yahoo
  • Go for shopping e.g., Etsy
  • Create havoc for victim :)
  •  79% of social media log ins by online retailers are with Facebook (http://socialmediatoday.com/node/1656466)
  • 60 million users of Facebook Connect in 2009 according to Tech Crunch report (http://goo.gl/a6lsCx)


* http://goo.gl/x8BKe

havoc examples

http://goo.gl/2FVTz8


http://goo.gl/uuO7Kq

Guidelines for users


  • Do not ignore email or SMS alert from Facebook
  • Do not place TOO MUCH information on social network
  • Do not accept friend requests from strangers
  • Enable log-in notifications

Guidelines for social networks


  • Train your support teams.
  •  Facebook should raise the bar as far as communication with the researchers or bug submitters is concerned.
  • For Facebook: Please don't send TOO MANY EMAILS because users start believing that these are spam emails.
  • Joe wrote in his post (http://goo.gl/Wf6QMZ):
  • In case of TFA, Facebook failed in "CORRECTLY IDENTIFYING and REALIZATION OF AN INFORMATION FLOW PROBLEM"

for facebook


I hope now facebook security team's reaction

demo

YET Another observation


reveal my trusted contacts reveals


social media experiment (freak out strangers)


http://www.youtube.com/watch?v=5P_0s1TYpJU

thanks!