(Translated from the original Italian)
A few days ago I wrote about the dangers related to carelessness on social networks, those powerful platforms and privileged communication tools, and the subject of increasing interest for cybercrime.
Many possibilities for attacks exist across these platforms, from social engineering to cyber espionage, as well as the spreading of all types of malware. The endless audiences of users, all too often unaware of the threat, represent the ideal target for criminals.
A very interesting news item appeared on the internet recently: A University of London research student named Shah Mahmood and the Chair of Information Communication Technology, Yvo Desmedt, during a conference at the IEEE's International Workshop on Security and Social Networking SESOC 2012 in Lugano, Switzerland, presented on a new critical vulnerability on the Facebook platform, a zero day privacy loophole that they have named the "Deactivated Friend Attack".
The two researchers described the attacks:
“Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.”
One of the aspects that makes this vulnerability so insidious is that the popular social network lacks a mechanism for notifying a user of the activation / deactivation of the account. The process of alternating activation and deactivation is defined by two experts as "cloaking".
Furthermore, the process of activation and deactivation may be repeated at will without being subject to any controls because deactivation is merely temporary in Facebook. This behavior then allows an attacker to reactivate an account for only the time necessary to carry out a survey of the information posted by a target for data mining.
In my opinion, the real problem is the distracted behavior of users on social networks, who too preoccupied to notice the increase on the counter of their relationships and do not carefully assess the real identity of those seeking friendship.
Once obtaining the friendship status, it is possible to spy on every targeted account as desired by simply activating the account at a time when the target is not present on the social platform in order to avoid being spotted and arousing suspicion.
As the attacker has to uncloak to spy, there is a probability of being detected and unfriended or put under restricted privacy policies. This probability is dependent on several factors and suspicious events are:
- the victim checks their own friendlist
- the user is online when the attacker is de-cloaked
- the victim checks their proﬁle page
- the victim checks their friends preview (Facebook shows thumbnails and names of 10 friends on the left side of user’s proﬁle page)
- the attacker being available on the friends preview
- the victim getting suspicious about the attacker after ﬁnding them on the friendlist and then attempting to restrict or unfriend them
- the victim will be able to apply the restriction before the attacker deactivates considering the time they both have
The expert alerted:
"Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user.”
The attack is very serious for several reasons:
- it is very hard to detect
- if the user desires to adjust their privacy settings, they will not be able to apply any updates unless they are applied to all friends, or to lists of which the attacker is a member. If the attacker is temporarily de-activated, it is not possible.
- the attacker simply monitors a few users on the social network to get a deeper insight into a larger network
During the presentation the two experts conducted a live demo to confirm the problem, showing that the one way to avoid the attack is to notify the user of the continuous change of status of their friends.
Of course, the situation must be addressed by the manager of the Facebook platform who could also monitor the "cloaking" behaviour of an account then blocking it or disabling the re-activation features.
Beware that social media platfortms are becoming a paradise for cybercriminals.
Cross-posted from Security Affairs