Trusted Friend Attack: Guardian Angels Strike

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration)

In this talk we present our survey of  "forgot your password'' functionality of fifty popular social networks and investigate the security of the password recovery mechanisms. We were able to compromise accounts on six social networks, block account on one big social network due to the weaknesses in the password recovery feature and help from their untrained and naive support teams during the account recovery process.  In addition, we present a novel, practical and high severity attack on the password recovery feature of Facebook and we call it Trusted Friend Attack (TFA). The term TFA was coined during our discussions with the Facebook Security Team. Trusted friends are also known as Guardian Angels. If a user wants to login to a web service without remembering his password, usually an email containing a new password (or a password reset link) is sent to the user, enabling him to choose a new password for his account. A problem occurs, when this user along with his password lost access to the email account provided during registration. In that case, Facebook introduced a new feature called Trusted friends, that allows account recovery based on the trust a user has in his friends. The TFA exploits the victim's trust in his friend or friends (3 in total) to compromise his/her account, so it is very beneficial for the attacker to be on the victim's friends list as a starting point (though attack is possible with low probability even if the attacker is not on the victim's friends list). There are two variants of the Trusted Friend(s) Attack: One involves only one attacker while the other requires three attackers. To show the applicability of our attack, we tested 250 Facebook accounts. We show how TFA can lead to a complete compromise of a user's Facebook account. This talk also describes Chain Trusted Friend Attack (CTFA). In CTFA, attacker make a chain of hacked accounts in order to compromise more accounts. The talk further demonstrates a highly practical Denial of Service (i.e., DoS of trusted friends feature) due to weakness in Facebook's password recovery procedure. Both attacks i.e., TFA and DoS can easily be launched against any Facebook user by knowledge of his user-name only, which is public information. We have responsibly reported all attacks to the respective security teams and they have acknowledged our work. In the end, we give some guidelines to social networks' users.

Presenters:

• Ashar Javed - Chair of Network & Data Security, Ruhr University Bochum, Germany
  Ashar is a researcher in Chair of Network & Data Security, Ruhr University Bochum, Germany and working towards his PhD. His name has been listed nine times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat etc.

Links:

• https://deepsec.net/archive/2013.deepsec.net/speaker.html#PSLOT110

Similar Presentations:

• Black Hat Europe 2014 / Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers
• ekoparty 14 (2018) / I Forgot Your Password: Breaking Modern Password Recovery Systems
• TROOPERS18 (2018) / I forgot Your password: Pwning modern password recovery systems through JSON injections