Hacker News new | past | comments | ask | show | jobs | submit login
Researcher shows how to "friend" anyone on Facebook within 24 hours (arstechnica.com)
169 points by evo_9 on Nov 30, 2011 | hide | past | favorite | 58 comments



There seems to a lot of confusion, both in the article and in the comments, about the "3 trusted friends" password recovery. You have to manually select your trusted friends [1]. A fake account mimicking one of your friends will not be a "trusted friend" unless you make him or her one.

Furthermore, this is an opt-in feature.

[1] https://www.facebook.com/help/?faq=119897751441086


You need to trick an account into accepting three fake friends, since those users will receive the code to change the password. Hardly seems like obvious security flaw, more like a long, complicated piece of social engineering. Which is what all hackers do....

http://www.hackersonlineclub.com/hack-facebook-account


You need to trick an account into adding three fake friends as "trusted friends", a feature that most people do not know about or use. This is much harder getting someone to friend three fake accounts.


I was surprised to learn that Facebook has a "3 trusted friends" method for recovering your account without the original email or security question response.

EDIT: tried to find a better source for that, came up with https://www.facebook.com/notes/facebook-security/national-cy...

Looks like the feature is still being rolled out, and the attacker doesn't get to choose which friends he trusts.


Right. Does this mean that me and two of my friends can just decide to stage a coup on any of our mutual friends' accounts?

EDIT: Yeah, apparently it does. Sweet. Time to scour /b/ for some truly horrible shit to plaster peoples' profiles with. Also highly recommended: changing their birthday to tomorrow.


Don't I have to set up these three trusted friends? All I can find in Facebooks documentation is that I would need to specify these three to five trusted friends but I can't find anywhere to set this up.


Hm, this link has different screenshots: http://www.hackersonlineclub.com/hack-facebook-account Any 3 "friends" who put their codes in can get access to your account.



I just tried this on my brothers account. It lets me guess at his security question and then kicks me to a page that basically says that they currently don't support password recovery without knowing the answer to the security question.


Apparently it's a feature where you can't update your security question either:

We want to make sure that your account and the information in it stays safe, so once you set up a security question on your account there’s no way to update it. Sorry for the inconvenience.

https://www.facebook.com/help/?page=227159377299846


That surprised me too. When trying myself I wasn't able to reach that method. I could be "doing it wrong", it could be no longer active, or may not work with an account tied to gmail. Has anyone else been able to do it?


The first thing I did when I saw this story was check Google to see if any other news sources had picked it up. I chose the researcher's name as a highly distinctive Google search term. I didn't find any source but Ars Technica just now that reports this finding. I noticed that there are websites that appear to belong to the Brazilian researcher, but I guess the moral of this story is that those websites may all be fake [sigh].


Ars has not been a good website for some time now, at least a couple of years. They have squandered their future, but I dunno, I haven't checked but were they acquired by Gawker at some point? It would explain a lot.



Dare I say worse? ;)


I deleted my Facebook account about 3 months ago

Security was one of the big issues for me. My brothers account had been hacked, and the hackers managed to get some cash out of some of his friends.

But I digress, and this off topic, but I don't miss FB at all. I still maintain genuine relationships outside of FB and find I have more time for proper conversations with people via Skype and email. FB to me was crack, I hated to love it. Now I love to hate it.

Does anybody out their maintain genuine relationships through FB? (Serious Question) Why are we using it? Is it an addiction?


I've deleted my Facebook a number of times. I know this sounds petty, but the main reason I always signed back up was because my girlfriend at the time wanted to be in a relationship with a 'real person' not just a name on Facebook. This was two different, perfectly well adjusted women.

I think this speaks to Facebook as a status symbol not as a communication tool. Why do you upload pictures of your vacation? Because you want grandma to see them and enjoy seeing your lovely face or is it to impress all your friends with this awesome life you have. I think it is mostly the latter.


I'm a tad short of sleep, so forgive me for asking what is probably a really stupid question but I'm confused: Are you saying these two different women wanted you to flesh out some online profile via FB (as proof of a real relationship or something like that)?


On Facebook you have a section called relationship. In that section you can put a name. If that person doesn't have a Facebook profile, I assume, it doesn't hyper link it to their profile. If that person does have a Facebook profile then it hyperlinks to their profile page.

Clearly, the relationship isn't going to depend on if I have a Facebook profile, but both women want their friends to be able to see that they have a 'real boyfriend' with real interests, pictures, etc. In effect they want to show off for their friends.


In effect they want to show off for their friends.

And perhaps also position themselves defensively with regards to other men. It seems to me that listing a name with no hyperlink is something you could do to "fake" having a boyfriend, and thus might not be a very effective deterrent to unwanted attentions from another man. An actual FB account linked in that section is much stronger proof that a woman is unavailable, so please don't bother me.

It seems to me that if you have some significant portion of your social life online, indicators of that sort can be rather important. I know that when I was still married and could publicly portray myself as a "woman who has been married with children for a very long time" I did not have to deal with certain kinds of things in online social settings. I joined one forum after it was clear to me and my spouse that we would divorce but at a time when our status was still publicly presented as "married, with children". When I was at a point where I was ready to publicly admit I was facing a divorce, I suddenly had online social situations to deal with that simply did not crop up when everyone figured I was about as off limits as a woman could get. So my personal situation had not really changed (as I was still "facing a divorce" and not really available) but there were very noticeable social consequences when how I presented my social status changed.

I'm not on Facebook. I deleted my account earlier this year and never used it that much and I think everyone I knew on Facebook was probably either female or only interested in me due to my medical diagnosis. So I never dealt with that aspect of Facebook. But I know that I do deal with the need to signal my "currently unavailable" status in other online social settings. It's simply far easier and more effective to just make it generally publicly known that I am not currently available than to try to deal individually with every potential inquiry.

So my guess would be they are not simply showing you off to their friends. It probably serves a broader purpose similar to an engagement ring or other offline relationship status signal, and that means it may also have implications for things like what types of social invitations that single women friends might extend to them (ie "I'm no longer available for girls night out, where we go out drinking/partying" or something). Whether there is a hyperlink vs just a name listed may have hard to quantify but real impact on how others interact with them.


You are correct. I actually typed something similar up, but after reading it it came across too much like, "I don't trust her."


Your last paragraph sums up my feeling toward FB nicely. There may have been the odd bit of genuine conversation. But it was mostly "Check out me/my stuff/my spouse/my party, aren't I awesome?"


Yeah, I talk to several family members, most of my high school friends (but I graduated in 1984), and a few friends exclusively through Facebook. There are a lot of people whose online existence consists entirely of FB, and I happen to know some of them.


Correction: you _deactivated_ your account. Facebook keeps your data.


No, deleted and deactivated are two different things on Facebook[1]. You may disagree with the definition, but as it is currently used on Facebook he is being accurate.

Facebook doesn't make it clear about what types of data they do and don't keep beyond saying they disassociate you from the information, but retain some for 'technical' reasons. I can't really imagine what those would be.

[1]http://www.facebook.com/help/?faq=125338004213029#What-is-th...?


> but retain some for 'technical' reasons

Probably the thing about databases getting fragmented, so they delete large swaths of data and optimize all at once, rather than piecemeal when the users delete it. It's well known that when you "delete" a photo from Facebook, if you save the direct link to it first, you can still access it (go ahead, try it). But the one time I tried it, the photo did finally disappear after about a week (although I have seen some people claim that they could access deleted content via direct links for up to 6 months).


Yeh I deleted it. Had to jump through hoops to do it. Even going so far as to block all FB related traffic, plugins etc to avoid re-activating the account. They may have kept some of my data, but there's no way for me to re-activate the account.


Kind of a stretch, an elaborate ploy all to merely "friend" someone.

Like, "Car thieves who want to steal your car can construct an exact replica of your street, house, and garage, so that you're actually parking right in the thief's carpark, security researchers reported today."


It sounds like you're equating basic social engineering to an elaborate, large-scale, nearly impossible architectural trick. Are you trying to discount the effectiveness or feasibility of social engineering? Social engineering requires far less effort that your proposed analogy. I doubt if it took this guy more than half an hour to do the "hard work," which is just duplicating a profile and cross-referencing friends from two social networks.

I agree that accidentally friending a fake account probably won't lead to much further online problems: the trusted friends example used in the article is far-fetched (and other HN comments indicate it's complete bogus), and they're not going to get your credit card info or account passwords. However, it's still a privacy concern. Anyone from an estranged ex-lover to a private investigator could get information like home address, vacation times, etc.


However, it's still a privacy concern. Anyone from an estranged ex-lover to a private investigator could get information like home address, vacation times, etc.

Only if you put information on Facebook that you're not comfortable sharing with the whole world.


I'm not sure what you mean by that statement. Are you saying that Facebook's internal security is weak, and therefore you shouldn't trust it with data that you explicitly make private? To my knowledge, Facebook's privacy concerns are more related to the tracking of users on other websites, having insensible privacy defaults, and having confusing privacy controls. I've never heard any concerns about Facebook ignoring your settings and leaking your content (that was just meant for your friends or a certain group) with the whole world.

Are you singling out Facebook, or just referring to web services in general? Would you also say that you shouldn't have data on Gmail that you're not comfortable sharing with the whole world? What about online banking? All of those things are probably vulnerable to social engineering.


I've never heard any concerns about Facebook ignoring your settings and leaking your content (that was just meant for your friends or a certain group) with the whole world.

That's the end-result of "having insensible privacy defaults, and having confusing privacy controls." It happened when they changed their privacy model, and things that were private-only became public by default. But, normally, it's not that Facebook ignores your settings, but, rather, people assumed things were more private than they actually are. See people's recent reaction to the real-time updates of what your friends are doing on Facebook - many of the people I am friends with where aghast at this, because I don't think they realized all of that stuff was already public.

Basically, I think the privacy-model on Facebook is complicated, but I think it's an inherent complexity. It's not complex because Facebook is inept, it's complex because the problem of determining who in your large social network should know what is actually a complicated question. That privacy model is too complicated for people to grapple with every time they share something on Facebook, so they don't grapple with it. I don't want to grapple with it, either. Hence, I only share things on Facebook I'm comfortable sharing with the world. My Facebook page - wall, photos, info, comments - are all public. Then I have a very simple decision to make: am I okay saying this to everyone? If not, I don't say it. Hence, I don't say much on Facebook.

The internet is an inherently public place. Facebook puts a megaphone on the internet.

Would you also say that you shouldn't have data on Gmail that you're not comfortable sharing with the whole world?

In general, yes, although even I have difficulty with that one. But email is just plain text (unless you encrypt it, and very few people do) bouncing around the ether. It's out there, and you have little control over it. Banking is different, as the information is only shared between you and your bank. Not so with email, which always has at least one other party involved.


Considering Facebook has ignored the explicit privacy settings in the past exposing 'private' information, I think it's more a question of them being untrustworthy than having poor security.


> It sounds like you're equating basic social engineering to an elaborate, large-scale, nearly impossible architectural trick.

Seems about proportional to the difference between having a stolen car and having a fake friend account. I mean honestly what are you going to do with that? Find out some posts that hundreds of other people know about and would probably tell you if you called them up and asked? Stage an elaborate ruse with the fake account that will fall apart the second the target communicates with the real person on a non-Facebook channel? I mean I guess someone might have there reasons, but there's a million crazy things a stalker can do in real life too.


The risks from using social engineering to get a person to follow you is precisely equivalent to gaining unauthorized access to all the content that person has shared with his/her friends.

Depending on the victim, this may or may not pose any real concern. Some people probably share their entire profile and activity to their entire network, and probably don't post anything dangerous. However, some people are selective with their friends, and may very well share more private things (e.g. health/employment status, home address, phone number, etc.).

You're probably right that the average Facebook user wouldn't be at risk, since they probably already share with hundreds of quasi-friends and therefore don't post anything too personal or risky. The thing is, that probably applies to most Gmail accounts too, yet everyone recognizes a compromised Gmail account as a bad thing. I don't understand why you're minimizing the potential impact of having a bogus friend on your friends list.


Yet unlike building said exact replica, this could conceivably be automated and executed against an untold number of users at once.


I miss the good old days when I could only send friend requests, not receive them. I guess clicking ignore every time isn't so hard. It was better back when people simply could find the "Add Friend" button though, there wasn't any risk of them being offended.


Facebook friendships have always been symmetrical.


Votes seem to be fluctuating on this, so I'm just going to add qualifications of "possibly not when it was University-only (i.e. before my time)" or "until recently" as they've moved to subscription connections and wall propagation for unconfirmed friendships.


When could you not receive them? I remember getting friend requests when I first joined Facebook in 2005.


I would be wary of anyone calling him/herself a "web security expert" who tolerates a presence on multiple social networking sites. It speaks of a mindset not nearly paranoid enough.


A little melodramatic. My father logs into Facebook about once a month. How can you guarantee that he'll friend you within 24 hours?


You can't, really, but if he checks his email more often than once a month, he may act on the message that says "xxx has added you as a friend, please confirm."


"Privacy is a matter of social responsibility."

Privacy is a matter of not using Facebook.


No. Privacy is what you make it to be. If you don't want someone to know you like to rub lettuce over your face, don't tell anyone.

The same principal works for real life too.


What if someone wants to tell a few friends about something but doesn't want to tell all the people working at Facebook, all its clients and potentially any other Facebook user?


Then don't tell them through Facebook.

If you don't mind Facebook knowing what you said, you can send a private message.

That may not be a solution that people like, but it's what I do, and I think it's what we will all end up doing eventually.


"Then don't tell them through Facebook."

And that's the point.

If a current offering such as Facebook is "not a solution that people like", then that creates an opportunity for a solution that people _do_ like.

Will that opportunity be exploited? If not, why?


I don't think any large, online social network used by lay-people can allow the kind of privacy control that you (and many others) want. The system just becomes too complex, and information leaks. I think that we will eventually adapt to this constraint.


You said: "I don't think any large..."

If someone only wants to tell something to some of their friends, and assuming "some" is not a large number, does the network have to be "large"?

If so, why?


For lay-people to know about and be comfortable using it, yes, I think it has to be a part of a large service.

There are ways to share secrets with a small number of friends online, but even among technical people, very few people do it. I can see that it's possible to create a service around, say, PGP encrypted messages, and I can even see abstracting out the technical details of it. (That is, not forcing the users to think about keys, instead saying "Tell us who you want to be allowed to know the secret" and making and distributing public-private keys on the fly.) But I think even that level of conceptual overhead is more than lay-people are willing to deal with.


You said: "I think it has to be a part of a large _service_."

My question was about the size of the _network_.

In any event, following your line of thought, do you think it's possible to have a many _small_, separate networks that were somehow part of a large service?

Regardless of your answer, does our solution have to be a "service"?

What if it is a "product" that creates small networks as overlays on a larger, existing network such as the one all your friends are connected to: the internet?

You said: "I can see that it's possible to create a service around, say, PGP..."

What if you could see that it's possible to create a service (or product, or both) around, say, a scheme that involved only a single shared password and a single shared encryption key? That is, each friend has to remember only two strings for each network to which she belongs, sort of like, say, a username and password.

What if you could see that such a scheme might not require logging on and logging out as frequently as a web-based service such as Facebook?

Would that change your thoughts at all?

You said, when referring to a PKI scheme like PGP: "But I think that [the] level of conceptual overhead is more than lay-people are willing to deal with."

I once thought the same thing about Amazon's S3 service. When I saw the Dropbox product, my thoughts changed.


Without reaching Facebook-caliber critical mass, what would such a service offer people to join? Just in case you wanted to tell them something? I mean, if you just want a small system for telling your friends things, use a mailing list.


Why is there a need for a new technological solution to this? If I want to tell a few people something secret, I'll send them an email, or, you know, talk to them. I don't see where the problem/opportunity is.

There may be one situation in which technology helps, which is when you want to discuss a secret while remaining anonymous. For that, we have 4chan, reddit, forums, IRC, etc.


ramchip, you are correct.

With respect to "telling something to some of your friends", and attempting to do so "privately", there are certainly ways to do this without using Facebook.

However, that was only a specific example I chose, in line with veb's example of telling people you rub lettuce on your face, to use to illustrate to scott a point about whether only large networks could be useful in order to stay in touch with a small number of people, i.e., your friends. In theory, I could use any online activity or any service/protocol as an example to illustrate what the "solution" (a small private network) aims to achieve.

Talking (VOIP e.g. SIP), smtp (email), IRC and http (web forums), to use your examples, are examples of services/protocols that can be run over a network. Of course it is not an exhaustive list.

You could run them over the open internet, i.e. a very large, public network (of networks).

You could also run them over a small private network to which only a selection of people belong, e.g., your friends.

In theory, anything you could do with your friends on Facebook you could also do with your friends on your own small private network.

Multiplayer games is something for which this idea of "being on the same network", all at the same time, is well-suited. This is not a new concept. It is a very old one. Consequently, it's time-tested.

But playing games is only one example of what you can do.

The internet supports many services.

Theoretically, so too can your smaller network.

An obvious difference between doing things on the open internet (Facebook) and doing them on your own network is: _privacy_.

You do not have to invite advertisers and countless others to your private network if you do not want to. Might this be important to some people? That is an open question.

_Privacy_, of the kind discussed in the Facebook context, is the goal which the "solution" we are discussing aims to address.

Not simply "private mesaging" but privacy in everything you do with your friends online.

Rest assured, even if such a solution did exist and could be shown to work (NAT and whatever other issues you might predict have been solved), all the Facebook-type user interface doo-dahs are noticeably absent.

As such, it is a non-starter for any friend who cannot use a command line, unless some very good user interface developers got behind it.


If it's always the same small group of people, create a gmail/hotmail account and give them all the username and password. Leave messages for each other in the Drafts (no need to send emails). Yes, I do know the downsides. Or, find a FB messaging or forum app and get your friends to install it.


Email is store and forward, not real-time.

And all the mainstream messaging services to date have been centralised, at least in the sense that they involve interacting with a third party server.

When each friend can be both a client and/or a server, no third party servers are necessary. In theory (and practice), this is something you can achieve on a small network consisting only of your friends.

What if all your friends want to be online at the same time?

What if they want to share photos and video while online at the same time?

What if they want to play games with each other while online at the same time?

You can currently do these things with the mainstream web-based services like Facebook. But they are recording everything you say and do _and_ selling that information for profit. You don't receive any portion of that profit.

Is everyone OK with this?

It's an open question, I guess.


I need more enemies! I want to try this out!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: