At the recent Silver Bullet security conference, Nelson Novaes Neto, chief security officer of UOLDiveo showed off a little method he’d come up with that let him take advantage of both the Facebook structure and the prevalent Facebook culture. Using this method, he managed to convince a web security expert called “SecGirl” to accept a friend request from him. In fact, he says he can get anyone to accept a friend request from him. In 24 hours. How can he do that when it has to be accepted by the target? Well, a little deception goes a long, long way.
First, Neto idenfitied SecGirl’s manager and created a clone of the account. Same name, similar picture, etc. Next, he sent out friend requests to the friends of SecGirl’s manager’s friends, (you might want to read that twice, carefully) 4 degrees out from SecGirl. He sent out a whopping 432 requests and got 24 confirmations within the hour even though 96% of those 432 people already had the legitimate account of SecGirl’s as a friend.
Next, Neto sent requests to all 436 of the manager’s direct friends, 3 degrees out from SecGirl. In an hour, he managed 14 confirmations. After only seven hours, he managed to get SecGirl to accept a friend request from his fradulent account, conning people into vouching for him.
Big deal, right? Who cares. Everybody is extremely friend-happy anyways, right? Clearly they must be. Well the danger of this is that even if you keep your account locked down from the outside, friends who you don’t actually know (even if you think you do) can get useful information from your page. Useful information for what purpose? Oh, I don’t know, stealing your account.
“How?” you ask? There’s this thing Facebook offers called the 3 Trusted Friends Password Recovery Feauture. I won’t go into the specifics here, but it basically allows anyone to reset both the password and email of someone else’s account if used
right wrong in a certain manner. All you need to do to make it work is — wait for it — get the target to accept friend requests from 3 accounts under your control. It’s all coming together now, isn’t it?
Of course, this can all be related back to one central problem with social networking: People who want to have ALL the friends. What makes this all possible is slap-happy friending by people who don’t realize what’s going on. It only takes a few to lend a cloned account enough clout to slip past increasingly discerning users. After enough friending, the only way a target could pick up on the attack is by going down their friends list, having their friends list memorized, or by doing some sort of secret cyber handshake before accepting the request.
Normally, I’d close this out with telling you to be careful or something, which I guess I still will. Be careful. But more importantly, try to convince your friending-happy friends to be more careful as well, because everyone you associate with on Facebook can be used as a weapon against you. I guess the ultimate advice here is try not to be friends with idiots and pay attention to who you’re actually friending if you’re going to be active at all. Now if you’ll excuse me, I have a friends list to purge.
(via Ars Technica)
- Facebook may be hoarding info about non-members
- Missouri tried to make student-teacher friending illegal
- Facebook phone? Yeah, it’s called “Buffy”