DeepSec 2013 Video: Trusted Friend Attack – (When) Guardian Angels Strike

René Pfeiffer/ February 6, 2014/ Conference, Internet, Security, Stories

We live in a culture where everybody can have thousands of friends. Social media can catapult your online presence into celebrity status. While your circle of true friends may be smaller than your browser might suggest, there is one thing that plays a crucial role when it comes to social interaction: trust. Did you ever forget the password to your second favourite social media site? If so, how did you recover or reset it? Did it work, and were you really the one who triggered the „lost password“ process?

In a world where few online contacts can meet each other it is difficult for a social media site to verify that the person requesting a new password is really the individual who holds the account. Facebook has introduced Trusted Friends to facilitate the identity check. You select three to five selected contacts and give them the virtual keys to your online kingdom. In case of emergency or forgetfulness these friends can supply codes to recover control over your account. So could this be exploited and used against the account holder? Yes, it can! At DeepSec 2013 Ashar Javed (Chair of Network & Data Security, Ruhr University Bochum, Germany) explained the concept of the Trusted Friend Attack.

Ashar’s team was able to compromise accounts on six social networks, block account on one big social network due to the weaknesses in the password recovery feature and help from their untrained and naive support teams during the account recovery process. Have a look!

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.