:::Innovative Security Insights:::

Adding that FB “friend” may compromise your account!

Note: Information in this article is dated to 15/04/2011.

Sorry for the late upload, wasn’t able to make time to sit down and get this done :). Images contained are used to bring across an idea and no harm is intended.

Adding someone you don’t know on Facebook may not only expose your private information , but it may also lead to the compromise of your account. Facebook recently added a new feature in which users may retrieve their account if they lost their password credentials.



This process is based mainly on the knowledge of your account and a trust-based model of security, where Facebook requires your ‘friends’ to prove your authenticity. The process is fairly simple. Facebook will let choose 3 trusted friends in which they will send a ‘secret’ number to them. By entering these codes, the user will be able to complete the process of password recovery.

This is where the main problem lies. If a Facebook user adds at least 3 different and very beautiful young lady friends, which happens to be owned by a malicious user, his account can be compromised through the new password recovery feature.

Will users really add someone they don’t know?

I’d like to think that the answer to this is a ‘yes’. However, I have been proven wrong on several accounts. A while ago, I had a few friends who created a Facebook user with the name “Ah Long” (which is a common male name of a loan shark/illegal money lender), with a gender of female (Really… any more obvious?).

They went around adding people on the social network from a single institute. The results were shocking. Within a few days, we got 500-1000 users from the school who accepted our friend requests. I was appauled to know that some of the victims were my personal friends.
In addition, mutual friends also means that once several accounts in a network are compromised, the attacker has it easy.

Isn’t there already an additional layer of security in place?

A few months back, I completed this process for a friend that had his account compromised. Yes, indeed. Facebook has added an additional check which requires users to upload a copy of their identity card. Facebook also mentions that confidential information should be blanked out (i.e. SSNs, NRICs, etc.) – this gives me an impression they don’t check for photoshopped IDs.

In my opinion, it would be fairly easy to create a picture identification based on the user’s 500+ photos. If physical counterfeit IDs can be made, virtual ones should be a walk in the park.

How can we protect against this?

  1. Be wary of people adding you (or vice versa). Always double-check and do housekeeping on friends (esp. those who may have been compromised)
  2. Enable Facebook 2-factor authentication feature
  3. Set and regularly review privacy settings (privacy policies change quite frequently and may result in leakage of data)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s