Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

ONLINE REGISTRATION CLOSES OCT 13TH AT 23:59 MYT

           

Walk in registrations at The InterContinental for the conference on 16th and 17th are still accepted (walk-in rate MYR1499).

For up-to-the-minute updates on #HITB2013KUL including on-site happenings during the event, please follow @hitbsecconf on Twitter.

Ashar Javed (Research Assistant, Ruhr University Bochum)

PRESENTATION TITLE: Trusted Friend Attack: When Guardian Angels Strike

PRESENTATION ABSTRACT:

In this paper, we survey “forgot your password” functionality of fifty popular social networks and investigate the security of the password recovery mechanisms. We were able to compromise accounts on six social networks, block account on one big social network due to the weaknesses in the password recovery feature and help from their untrained and naive support teams during the account recovery process.

In addition, we present a novel, practical and high severity attack on the password recovery feature of Facebook and we call it Trusted Friend Attack (TFA). The term TFA was coined during our discussions with the Facebook Security Team. Trusted friends are also known as Guardian Angels. If a user wants to login to a web service without remembering his password, usually an email containing a new password (or a password reset link) is sent to the user, enabling him to choose a new password for his account. A problem occurs, when this user along with his password lost access to the email account provided during registration. In that case, Facebook introduced a new feature called Trusted friends, that allows account recovery “basing” on the trust a user has on his friends.

The TFA exploits the victim’s trust in his friend or friends (3 in total) to compromise his/her account, so it is very beneficial for the attacker to be on the victim’s friend list as a starting point (though attack is possible with low probability even if the attacker is not on the victim’s friend list). There are two variants of the Trusted Friend(s) Attack: One involves only one attacker while the other requires three attackers. To show the applicability of our attack, we tested 250 Facebook accounts. We show how TFA can lead to a complete compromise of a user’s Facebook account. This paper also describes Chain Trusted Friend Attack (CTFA). In CTFA, attacker make a chain of hacked accounts in order to compromise more accounts.

This paper further demonstrates a highly practical Denial of Service (i.e., DoS of trusted friends feature) due to weakness in Facebook’s password recovery procedure. Both attacks i.e., TFA and DoS can easily be launched against any Facebook user by knowledge of his user-name only, which is public information. We have responsibly reported all attacks to the respective security teams and they have acknowledged our work. In the end, we give some guidelines for the social networks’ users.

ABOUT ASHAR JAVED

Ashar Javed is a research assistant in Ruhr University Bochum and working towards his PhD. He has been listed Nine Times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat.

EVENT ORGANIZER

SUPPORTED AND ENDORSED BY

TITANIUM SPONSOR (SPEAKERS RECEPTION + POST CONFERENCE RECEPTION)

GOLD SPONSORS

SILVER SPONSORS

CTF SPONSOR

CTF PRIZE SPONSOR

INTERNET CONNECTIVITY PARTNER

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

HackWEEKDAY Official Ride Partner

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2013 Hack In The Box | http://www.hackinthebox.org