At the Silver Bullet security conference in São Paulo, Brazil, UOLDiveo chief security officer Nelson Neto demonstrated how to Facebook friend anyone with a little social engineering. In fact, the whole feat took him less than 24 hours, as first reported by Ars Technica.
First, Neto picked a target: a Web security expert he called SecGirl. Then, he used information gathered from Facebook, LinkedIn, and Amazon to build a fake profile of her manager in order to gain her trust on the world's largest social network.
The Brazilian security researcher started by creating a fake Facebook account, which replicated the identity of target's manager (clearly against the social network's policies). He then sent 432 Facebook friend requests to friends of friends of the manager, 436 friend requests to the manager's friends, and then 580 friend requests to the friends.
In the first hour, 24 requests had been accepted from the first group, even though 23 of them already had the legitimate account of the manager in their Facebook friends list. In the second hour, he received acceptances from 14 individuals in the second group, all of which were friends with the manager's legitimate account.
Seven-and-a-half hours into the experiment, he had 35 accepted friend requests from the third group, and SecGirl had agreed to be his Facebook friend as well. By that time, the profile had accumulated enough friends and friends of friends that it appeared legitimate: a total of 73. Even if SecGirl noticed she was already Facebook friends with her manager, she probably thought her manager was simply making a new account.
Last month, Facebook announced a new Trusted Friends feature which lets you select three to five trusted friends who can help you if you ever have issues accessing your account. Facebook will send codes to the friends you have selected. If you are ever locked out of your account (you forget your password and can't access your e-mail account), your friends can pass one of these codes on to you in order to let you log back into your account.
Neto claims he can use Trusted Friends to take over a legitimate Facebook account. He argued that a hacker could use this feature along with the password recovery tool to change both the password and the contact e-mail address for an account. From there, the hacker could then use that hacked account to launch more social engineering attacks on even more accounts.
From my understanding, this would not work because it is not enough to be friends with the target; the target has to pick you as one of their trusted friends as well. I have contacted to Facebook to verify if this is the case and to get more information. I will update this story if I hear back.
In the meantime, you can see Neto's presentation over on SlideShare.
Update: "The methods used in this research violate Facebook's policies," a Facebook spokesperson said in a statement. "It's against our policies to use a fake name or to impersonate anyone, and we encourage people to report those that they think are doing this through report links located throughout the site. When a person reports an account for this reason, we run an automated system against the reported account. If the system determines that the account is suspicious, we show a notice to the account owner the next time he or she logs in warning the person that impersonating someone is a violation of Facebook's policies and may even be a violation of local law. This notice also asks the person to confirm his or her identity as the true account owner within a specified period of time through one of several methods, including registering and confirming a mobile phone number. If the person can't do this or doesn't respond, the account is automatically disabled. We urge people not to add or accept friend requests from people they don't know."
As for the Trusted Friends aspect, Facebook says it is still looking into the claims.
Update 2: "You are correct that users must pre-select Trusted Friends from their account settings," a Facebook spokesperson told me. "Additionally, we have safeguards in place around our Trusted Friend system so a recently friended person would have the lowest likelihood of being chosen as one of the 3 friends used in the password recovery steps."
- Facebook announces two new security features, offers infographic
- Three weeks later, Facebook has paid $40,000 in security bug bounties
- Security experts have mixed feelings about Facebook's privacy revamp
- Facebook testing two new mobile security features
- Facebook improves safety, security tools; experts not impressed
- Facebook users now separated by 4.74 degrees