Tuesday, July 2, 2013

Untested Logic allow hackers to hijack Facebook accounts


Well written and tested software seems to be an idealist assumption, with sites like Skype and Facebook failing to eliminate flaws in the components which ensure security and privacy on their platforms.

There have been two reported cases where Skype and Facebook had their accounts hijacked by the exploitation of logical flaws in their account set-up mechanism.

The security researchers who uncovered these flaws, smartly attempted to combine features available to set-up and reset accounts, to gain full control over their victims account. None of these attacks required coding knowledge or special skills and the attacker did not require the knowledge of secret credentials to gain access to accounts; only email ids or profile names. In both these attacks the owners of the targeted account, had no indication that the hack was underway until they were no longer able to access their account.
Very recently Facebook fixed a flaw where a victims account could be hijacked using an SMS in under a minute. The account hijack was a two step process. In the first step an arbitrary mobile phone was associated with the targets  Facebook account,  and the second step was to initiate a password-reset process using the attackers phone to choose a new password for a targeted account, thus giving him complete access.

The blog post How to hack any Facebook account in under a minute, by sending just one SMS provides a step by step description of how this attack was carried out.
Last year, a Skype account was easily exploited with the knowledge of a victims email address. The blog post Your Skype account be hijacked with just your email address provides a step by step description of how this attack was carried out.

These sites have been in operation for many years, but yet were susceptible to the introduction of new flaws or perhaps the reintroduction of old ones, as new functionality was added. The root cause of the problem is the pressure of rapid release cycles coupled with limited feature testing.
As a cybercitizen, there are limited defenses to such types of flaws. Use of one time authentication, if provided by the site enhances log in security. Another good practice is the use of two email ids, one kept secret and used only as a login credential and another for regular email. 

photo credit: Rosaura Ochoa via photopin cc

No comments:

Post a Comment