Two researchers from UC Berkeley found a potential security vulnerability in Facebook’s new account recovery feature, “trusted contacts.” An attack model they developed called “forest fire attacks” might pose a big threat to Facebook security.
Facebook introduced “trusted contacts” for account verification last May. This new backup authentication feature allows you to select three to five friends as your trustees. In cases when you forget your password or your account is hacked, each of these trustees will be able to get a security code for you. With three security codes, you can recover your account.
In a paper titled “On the Security of Trustee-based Social Authentications,” UC Berkeley Computer Science PhD candidates Neil Zhenqiang Gong and Di Wang proposed a new type of attack called “forest fire attacks” based on the fact that “users’ security are correlated” in this new feature.
In a forest fire attack, the attacker first uses traditional methods such as phishing and guessing to compromise some users (these are called seed users), and then the attacker propagates the attacks to other users by exploiting the “trusted contacts” feature.
Let’s use an example: Alice sets five of her Facebook friends as trustees. If three of them are already compromised, the attacker can send an account recovery request to Facebook in the name of Alice and get the security codes from the compromised trustees.
Even if fewer than three of Alice’s trustees are compromised, the attacker can still obtain security codes from her un-compromised trustees by impersonating Alice. For example, the attacker can create a Gmail account with Alice’s name in it and send phishing messages to her trustees.
Gong and Wang also developed a model to quantify the threat of forest fire attacks. After testing the attack model with multiple social network datasets, they found out that “with a small number of seed users (e.g., 1,000), an attacker can further compromise two to three orders of magnitude more users in some scenarios with low (or even no) costs of sending spoofing messages,” according to their paper.
Based on the research, they came up with two suggestions to make the “trusted contacts” feature more secure.
“Try not to choose those friends who are extremely social to be your trustees,” said PhD candidate Gong, in an interview with VentureBeat. “Those popular people are usually more likely to be chosen as trustees and therefore more likely to be targeted by attackers.”
On the company’s side, “Facebook can make sure that no user will be chosen to be a trustee by too many other users,” Gong said. “This defense strategy can effectively defend against forest fire attacks.”
However, such forest fire attacks might be more challenging than described.
“We don’t generate a code at all for accounts that our systems have flagged to be suspicious,” said Facebook spokesperson Jay Nancarrow in an email response to VentureBeat. “If we do generate a code, we can lock the account for 24 hours and allow the original account owner to disavow any suspicious login attempts. This dramatically reduces the speed at which the described method could be carried out, if at all.”
The paper is to appear in the academic journal IEEE Transactions on Information Forensics and Security (TIFS). Here’s the link to the paper.