Trusted Friend Attack: When Guardian Angels Strike presented at HITBSecConf Malaysia 2013

by Ashar Javad,

Summary : In this paper, we survey “forgot your password” functionality of fifty popular social networks and investigate the security of the password recovery mechanisms. We were able to compromise accounts on six social networks, block account on one big social network due to the weaknesses in the password recovery feature and help from their untrained and naive support teams during the account recovery process.
In addition, we present a novel, practical and high severity attack on the password recovery feature of Facebook and we call it Trusted Friend Attack (TFA). The term TFA was coined during our discussions with the Facebook Security Team. Trusted friends are also known as Guardian Angels. If a user wants to login to a web service without remembering his password, usually an email containing a new password (or a password reset link) is sent to the user, enabling him to choose a new password for his account. A problem occurs, when this user along with his password lost access to the email account provided during registration. In that case, Facebook introduced a new feature called Trusted friends, that allows account recovery “basing” on the trust a user has on his friends.
The TFA exploits the victim’s trust in his friend or friends (3 in total) to compromise his/her account, so it is very beneficial for the attacker to be on the victim’s friend list as a starting point (though attack is possible with low probability even if the attacker is not on the victim’s friend list). There are two variants of the Trusted Friend(s) Attack: One involves only one attacker while the other requires three attackers. To show the applicability of our attack, we tested 250 Facebook accounts. We show how TFA can lead to a complete compromise of a user’s Facebook account. This paper also describes Chain Trusted Friend Attack (CTFA). In CTFA, attacker make a chain of hacked accounts in order to compromise more accounts.
This paper further demonstrates a highly practical Denial of Service (i.e., DoS of trusted friends feature) due to weakness in Facebook’s password recovery procedure. Both attacks i.e., TFA and DoS can easily be launched against any Facebook user by knowledge of his user-name only, which is public information. We have responsibly reported all attacks to the respective security teams and they have acknowledged our work. In the end, we give some guidelines for the social networks’ users.