Researcher shows how to Facebook friend anyone in 24 hours

Researcher shows how to Facebook friend anyone in 24 hours

Summary: Security researcher Nelson Neto has demonstrated how to Facebook friend anyone on the social network. He also argues he can exploit the service's Trusted Friends feature to hack an account.

SHARE:
5

At the Silver Bullet security conference in São Paulo, Brazil, UOLDiveo chief security officer Nelson Neto demonstrated how to Facebook friend anyone with a little social engineering. In fact, the whole feat took him less than 24 hours, as first reported by Ars Technica.

First, Neto picked a target: a Web security expert he called SecGirl. Then, he used information gathered from Facebook, LinkedIn, and Amazon to build a fake profile of her manager in order to gain her trust on the world's largest social network.

The Brazilian security researcher started by creating a fake Facebook account, which replicated the identity of target's manager (clearly against the social network's policies). He then sent 432 Facebook friend requests to friends of friends of the manager, 436 friend requests to the manager's friends, and then 580 friend requests to the friends.

In the first hour, 24 requests had been accepted from the first group, even though 23 of them already had the legitimate account of the manager in their Facebook friends list. In the second hour, he received acceptances from 14 individuals in the second group, all of which were friends with the manager's legitimate account.

Seven-and-a-half hours into the experiment, he had 35 accepted friend requests from the third group, and SecGirl had agreed to be his Facebook friend as well. By that time, the profile had accumulated enough friends and friends of friends that it appeared legitimate: a total of 73. Even if SecGirl noticed she was already Facebook friends with her manager, she probably thought her manager was simply making a new account.

Last month, Facebook announced a new Trusted Friends feature which lets you select three to five trusted friends who can help you if you ever have issues accessing your account. Facebook will send codes to the friends you have selected. If you are ever locked out of your account (you forget your password and can't access your e-mail account), your friends can pass one of these codes on to you in order to let you log back into your account.

Neto claims he can use Trusted Friends to take over a legitimate Facebook account. He argued that a hacker could use this feature along with the password recovery tool to change both the password and the contact e-mail address for an account. From there, the hacker could then use that hacked account to launch more social engineering attacks on even more accounts.

From my understanding, this would not work because it is not enough to be friends with the target; the target has to pick you as one of their trusted friends as well. I have contacted to Facebook to verify if this is the case and to get more information. I will update this story if I hear back.

In the meantime, you can see Neto's presentation over on SlideShare.

Update: "The methods used in this research violate Facebook's policies," a Facebook spokesperson said in a statement. "It's against our policies to use a fake name or to impersonate anyone, and we encourage people to report those that they think are doing this through report links located throughout the site. When a person reports an account for this reason, we run an automated system against the reported account. If the system determines that the account is suspicious, we show a notice to the account owner the next time he or she logs in warning the person that impersonating someone is a violation of Facebook's policies and may even be a violation of local law. This notice also asks the person to confirm his or her identity as the true account owner within a specified period of time through one of several methods, including registering and confirming a mobile phone number. If the person can't do this or doesn't respond, the account is automatically disabled. We urge people not to add or accept friend requests from people they don't know."

As for the Trusted Friends aspect, Facebook says it is still looking into the claims.

Update 2: "You are correct that users must pre-select Trusted Friends from their account settings," a Facebook spokesperson told me. "Additionally, we have safeguards in place around our Trusted Friend system so a recently friended person would have the lowest likelihood of being chosen as one of the 3 friends used in the password recovery steps."

See also:

Topic: Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • RE: Researcher shows how to Facebook friend anyone in 24 hours

    "From my understanding, this would not work..."

    Guess they should have had you as a speaker at Silver Bullet instead.
    wendellgee2
    • RE: Researcher shows how to Facebook friend anyone in 24 hours

      @wendellgee@... I don't know why, but as I read this line on Protalinski's article, I knew someone would have a come back in the comment section.. lol

      There's not enough information to conclude if Protalinski's is right or wrong though. I've been out of Facebook for months now... Anyway, if the mentioned codes can be just sent to the impostor then, if the impostor manages to convince the 'trusted friends' that his second account is legit he can get the codes to take over the first account. It is then technically possible, just very unlikely.

      And, as we know, no system is 100% secure, we just work hard to make it incredibly hard for hackers to hack into it, so they will in all likelihood leave it alone and invest their time in whatever else.
      cameigons
    • RE: Researcher shows how to Facebook friend anyone in 24 hours

      @wendellgee@...

      See Update 2.
      Empro
  • RE: Researcher shows how to Facebook friend anyone in 24 hours

    First problem with this. Facebook is for FRIENDS, not CO-WORKERS. This guy would never catch me because he would not ever be friended.
    hornerea
    • RE: Researcher shows how to Facebook friend anyone in 24 hours

      @hornerea you would reject your boss' or other coworkers friend requests even if you had good relationships with them? And even if you all work in an open office space so you can't possibly avoid spending several hours with them?

      Nowadays I like the idea of only friending people you really consider friends. But most people don't follow this philosophy, in fact it seems to me many people will friend each other in order to [i]become[/i] friends, and not as an extension/continuation of an already existing relation.
      cameigons