DeepSec 2013 Talk: Trusted Friend Attack – Guardian Angels Strike
Have you ever forgotten a password? It’s a safe bet to assume a yes. Sometimes we forget things. When it comes to logins there is usually a procedure to restore access and change the forgotten password to a known new one. This Forgot Your Password functionality is built into many applications. The mechanism is to rely on other ways to restore trust. There is a risk that unauthorised persons gain access to an account by exploiting the process. Ashar Javed has explored the password recovery function of 50 popular social networking sites. In his talk at DeepSec 2013 he will present the findings of his survey.
The attack vector is called Trusted Friend Attack, because once you forgot your credentials you have to rely on trusted friends to recover them. Apart from automatic systems such as using a (second) e-mail account for sending verification codes or two-factor authentication there is often a support team for this case. This means you can talk to real people, and this in turn brings social engineering into play. Getting support without knowing a customer identification or serial number of software/hardware is a very similar scenario. If it works there, then it will probably work for lost passwords.
Facebook is a prominent site featured in the presentation. Taking over someone’s Facebook presence is a crucial step for boosting credibility (in order to perform a multi-staged social engineering attack). Plus you can gain access to contacts and messages. Eleven (!) Facebook accounts were compromised during the course of the study. The threat is real. In addition the attack can be stacked by using a trust chain of accounts (hence Chain Trusted Friend Attack). Once you get a foothold inside a structure, just keep going and expand your control. Apparently it works well as you will see in Ashar’s talk.
How can you avoid being compromised by guardian angels? Well, technology by itself won’t safe you. First you have to be aware of what can go wrong and which flaws attackers can abuse, then you can address these vulnerabilities. Armed with the knowledge of this talk you will be able to derive guidelines and strategies to protect your outsourced accounts. You will get specific advices based on the results of the survey. Make sure you don’t miss it! Social networking sites are a part of our infrastructure, for good or for worse.