A few days ago I wrote about the dangers relating to a not careful attendance of social networks, powerful platforms and privileged communication tools, the subject of increasing interest of cybercrime.
Many possibilities for attack across these platforms, from social engineering to cyber espionage, not forgetting the spread of all types of malware.
Endless audiences of users, all too often unaware of the threat, represent the ideal target for criminals.
A very interesting news appeared on the internet yesterday, an University College London research student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt duringĀ a conferenceĀ at the IEEE International Workshop on Security and Social Networking SESOC 2012 in Lugano (Switzerland on March 19th), Ā have presented a new critical vulnerability on Facebook platform, a zero day privacy loophole Ā that they have named “Deactivated Friend Attack”.
The two expert have describedĀ the attacks:
āOur deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friendās list) or added to any specific list.ā
Probably one of the aspects that make this vulnerability more insidious is that the popular social network lack a mechanism for notifying a user of the activation / deactivation of the account considered as friends.
The process of alternating activation and deactivation is defined by two experts as “cloacking”
Furthermore the process of activation and deactivation may be repeated at will without being subject to any control becauseĀ deactivation is temporary in Facebook.Ā This behavior then allows an evil intent to reactivate an account for the time necessary to carry out a survey among the information posted by a victim … a mine as we learned from the news.
In my opinion the real problem is the distracted behavior of users of social networks, too preoccupied to increase the counter of their relationships without carefully assessing the real identity of those seeking friendship. Ā Once obtained the friendship it is possible to spy every account as desired, it is simply necessary to activate the account in a time when the victim is not present on the social platform to avoid being spotted and arouseĀ suspicion.
As the attacker has to uncloak to spy, there is a probability of being detected and unfriended or put under restricted privacy policies. This probability will be dependent on several factors and suspicious eventsĀ are:
- the victim checks their own friendlist
- the user is online when the attacker is de-cloaked
- the victim checks their proļ¬le page
- the victim checks their friends preview (Facebook shows thumbnails and names of 10 friends on the left side of userās proļ¬le page)
- the attacker being available on the friends preview
- the victim getting suspicious about the attacker after ļ¬nding him on the friendlist and then attempting to restrict or unfriend it
- the victim will be able to apply the restriction before the attacker deactivates considering the time they both have
The expert alerted:
“Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user.ā
The attack is very serious forĀ several reasons:
- it is very hard to detect
- if the user desire to adjust his privacyĀ settings Ā heĀ will not be able toĀ apply any updates, unless they are applied to all friends, orĀ to lists of which the attacker is a member. If the attacker is temporary de-activated it is not possible.
- theĀ attacker simply monitoring few users on the social network can get a deeper insight into a large network
During the presentation the two experts have presented a live demo to prove the problem showing that the one way to avoid any kind of problem is to notify the user the continuous change of states of its friends.
Of course the situation must be managed by the manager of the Facebook platform that could also monitor a “cloacking” behaviour of an account blocking it or disabling the re-activation features.
Beware, social media are becoming a paradise forĀ cybercriminals.
Pierluigi Paganini
References
http://arxiv.org/pdf/1203.4043v1.pdf