At this year's edition of Hack In The Box Conference in Kuala Lumpur, Ruhr University Bochum researcher Ashar Javad's demonstrated the possibilities offered by Facebook's "Lost my password" / trusted friends feature. His rather extensive presentation also contained a section on several attack vectors related to social networks that should be impossible to use by now.
He created a fake account (the victim) on a number of different social networks and tried to get customer support representatives to give the attacker (in this case him) full access to the victim's account. He attempted this by sending them an e-mail from a totally different email address than the one with which he registered the account in the first place.
The attacker's initial mail contained the following text: "My email was hacked and my password changed. Is there a way to recover the account?"
Customer support reps for Academia.net (approximately 4.3 million users) replied with: "Which email would you like us to add to your account? Once you send the email you would like, I can edit this information for you. Then we can work on a new password."
After he sent his email address, the rep responded by saying that they have changed the email on the account, and urged him to request a password link.
A Delicious (social bookmarking web service) customer support rep responded to the same initial request with: "Not a problem! We have switched your account's e-mail address to *attacker's e-mail* and sent you a reset link there instead."
A customer support rep of GetGlue - a TV fans network, acquired by competitor Viggle in November 2012 for $25 million in cash and $48.3 million shares of Viggle stock - simply replied that they have temporarily set the account password to temp, and urged him to login with it.
Meetup.com (approximately 11 millions users) customer support responded by saying that they blocked the account that was associated with the email address the attacker referenced, and asked him to create a new Meetup account.
He also sent a couple of similar emails to german social networking sites. One of them (Lokalisten.de) responded by requesting his username, e-mail address, city and date of birth. He sent back just the first three pieces of information, skipping the date of birth, but even without that important info, they moved on and changed the e-mail address as requested.
From all this is obvious that both social networking sites and users can spend a lot of money and effort on security, but with customer support as "helpful" as in these cases, all the protections are bypassed.
Author: Berislav Kucan, Help Net Security.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.