
Researcher shows how to "friend" anyone on Facebook within 24 hours - evo_9
http://arstechnica.com/tech-policy/news/2011/11/researcher-shows-how-to-friend-anyone-on-facebook-within-24-hours.ars
======
anorwell
There seems to a lot of confusion, both in the article and in the comments,
about the "3 trusted friends" password recovery. You have to manually select
your trusted friends [1]. A fake account mimicking one of your friends will
not be a "trusted friend" unless you make him or her one.

Furthermore, this is an opt-in feature.

[1] <https://www.facebook.com/help/?faq=119897751441086>

~~~
bproper
You need to trick an account into accepting three fake friends, since those
users will receive the code to change the password. Hardly seems like obvious
security flaw, more like a long, complicated piece of social engineering.
Which is what all hackers do....

<http://www.hackersonlineclub.com/hack-facebook-account>

~~~
anorwell
You need to trick an account into adding three fake friends as "trusted
friends", a feature that most people do not know about or use. This is much
harder getting someone to friend three fake accounts.

------
tryke
I was surprised to learn that Facebook has a "3 trusted friends" method for
recovering your account without the original email or security question
response.

EDIT: tried to find a better source for that, came up with
[https://www.facebook.com/notes/facebook-security/national-
cy...](https://www.facebook.com/notes/facebook-security/national-
cybersecurity-awareness-month-updates/10150335022240766)

Looks like the feature is still being rolled out, and the attacker doesn't get
to choose which friends he trusts.

~~~
JonnieCache
Right. Does this mean that me and two of my friends can just decide to stage a
coup on any of our mutual friends' accounts?

EDIT: Yeah, apparently it does. _Sweet._ Time to scour /b/ for some truly
horrible shit to plaster peoples' profiles with. Also highly recommended:
changing their birthday to tomorrow.

~~~
X-Istence
Don't I have to set up these three trusted friends? All I can find in
Facebooks documentation is that I would need to specify these three to five
trusted friends but I can't find anywhere to set this up.

~~~
sp332
Hm, this link has different screenshots:
<http://www.hackersonlineclub.com/hack-facebook-account> _Any_ 3 "friends" who
put their codes in can get access to your account.

------
tokenadult
The first thing I did when I saw this story was check Google to see if any
other news sources had picked it up. I chose the researcher's name as a highly
distinctive Google search term. I didn't find any source but Ars Technica just
now that reports this finding. I noticed that there are websites that appear
to belong to the Brazilian researcher, but I guess the moral of this story is
that those websites may all be fake [sigh].

~~~
rhizome
Ars has not been a good website for some time now, at least a couple of years.
They have squandered their future, but I dunno, I haven't checked but were
they acquired by Gawker at some point? It would explain a lot.

~~~
randall
Conde nast... not gawker.

[http://arstechnica.com/old/content/2008/05/ars-technica-
acqu...](http://arstechnica.com/old/content/2008/05/ars-technica-acquired-by-
conde-nast-the-low-down.ars)

~~~
rhizome
Dare I say worse? ;)

------
andrewfelix
I deleted my Facebook account about 3 months ago

Security was one of the big issues for me. My brothers account had been
hacked, and the hackers managed to get some cash out of some of his friends.

But I digress, and this off topic, but I don't miss FB at all. I still
maintain genuine relationships outside of FB and find I have more time for
proper conversations with people via Skype and email. FB to me was crack, I
hated to love it. Now I love to hate it.

Does anybody out their maintain genuine relationships through FB? (Serious
Question) Why are we using it? Is it an addiction?

~~~
noahc
I've deleted my Facebook a number of times. I know this sounds petty, but the
main reason I always signed back up was because my girlfriend at the time
wanted to be in a relationship with a 'real person' not just a name on
Facebook. This was two different, perfectly well adjusted women.

I think this speaks to Facebook as a status symbol not as a communication
tool. Why do you upload pictures of your vacation? Because you want grandma to
see them and enjoy seeing your lovely face or is it to impress all your
friends with this awesome life you have. I think it is mostly the latter.

~~~
Mz
I'm a tad short of sleep, so forgive me for asking what is probably a really
stupid question but I'm confused: Are you saying these two different women
wanted you to flesh out some online profile via FB (as proof of a real
relationship or something like that)?

~~~
noahc
On Facebook you have a section called relationship. In that section you can
put a name. If that person doesn't have a Facebook profile, I assume, it
doesn't hyper link it to their profile. If that person does have a Facebook
profile then it hyperlinks to their profile page.

Clearly, the relationship isn't going to depend on if I have a Facebook
profile, but both women want their friends to be able to see that they have a
'real boyfriend' with real interests, pictures, etc. In effect they want to
show off for their friends.

~~~
Mz
_In effect they want to show off for their friends._

And perhaps also position themselves defensively with regards to other men. It
seems to me that listing a name with no hyperlink is something you could do to
"fake" having a boyfriend, and thus might not be a very effective deterrent to
unwanted attentions from another man. An actual FB account linked in that
section is much stronger proof that a woman is unavailable, so please don't
bother me.

It seems to me that if you have some significant portion of your social life
online, indicators of that sort can be rather important. I know that when I
was still married and could publicly portray myself as a "woman who has been
married with children for a very long time" I did not have to deal with
certain kinds of things in online social settings. I joined one forum after it
was clear to me and my spouse that we would divorce but at a time when our
status was still publicly presented as "married, with children". When I was at
a point where I was ready to publicly admit I was facing a divorce, I suddenly
had online social situations to deal with that simply did not crop up when
everyone figured I was about as off limits as a woman could get. So my
personal situation had not really changed (as I was still "facing a divorce"
and not really available) but there were very noticeable social consequences
when how I presented my social status changed.

I'm not on Facebook. I deleted my account earlier this year and never used it
that much and I think everyone I knew on Facebook was probably either female
or only interested in me due to my medical diagnosis. So I never dealt with
that aspect of Facebook. But I know that I do deal with the need to signal my
"currently unavailable" status in other online social settings. It's simply
far easier and more effective to just make it generally publicly known that I
am not currently available than to try to deal individually with every
potential inquiry.

So my guess would be they are not simply showing you off to their friends. It
probably serves a broader purpose similar to an engagement ring or other
offline relationship status signal, and that means it may also have
implications for things like what types of social invitations that single
women friends might extend to them (ie "I'm no longer available for girls
night out, where we go out drinking/partying" or something). Whether there is
a hyperlink vs just a name listed may have hard to quantify but real impact on
how others interact with them.

~~~
noahc
You are correct. I actually typed something similar up, but after reading it
it came across too much like, "I don't trust her."

------
dgreensp
Kind of a stretch, an elaborate ploy all to merely "friend" someone.

Like, "Car thieves who want to steal your car can construct an exact replica
of your street, house, and garage, so that you're actually parking right in
the thief's carpark, security researchers reported today."

~~~
baddox
It sounds like you're equating basic social engineering to an elaborate,
large-scale, nearly impossible architectural trick. Are you trying to discount
the effectiveness or feasibility of social engineering? Social engineering
requires far less effort that your proposed analogy. I doubt if it took this
guy more than half an hour to do the "hard work," which is just duplicating a
profile and cross-referencing friends from two social networks.

I agree that accidentally friending a fake account probably won't lead to much
further online problems: the trusted friends example used in the article is
far-fetched (and other HN comments indicate it's complete bogus), and they're
not going to get your credit card info or account passwords. However, it's
still a privacy concern. Anyone from an estranged ex-lover to a private
investigator could get information like home address, vacation times, etc.

~~~
scott_s
_However, it's still a privacy concern. Anyone from an estranged ex-lover to a
private investigator could get information like home address, vacation times,
etc._

Only if you put information on Facebook that you're not comfortable sharing
with the whole world.

~~~
baddox
I'm not sure what you mean by that statement. Are you saying that Facebook's
internal security is weak, and therefore you shouldn't trust it with data that
you _explicitly_ make private? To my knowledge, Facebook's privacy concerns
are more related to the tracking of users on other websites, having insensible
privacy defaults, and having confusing privacy controls. I've never heard any
concerns about Facebook ignoring your settings and leaking your content (that
was just meant for your friends or a certain group) with the whole world.

Are you singling out Facebook, or just referring to web services in general?
Would you also say that you shouldn't have data on Gmail that you're not
comfortable sharing with the whole world? What about online banking? All of
those things are probably vulnerable to social engineering.

~~~
scott_s
_I've never heard any concerns about Facebook ignoring your settings and
leaking your content (that was just meant for your friends or a certain group)
with the whole world._

That's the end-result of "having insensible privacy defaults, and having
confusing privacy controls." It happened when they changed their privacy
model, and things that were private-only became public by default. But,
normally, it's not that Facebook _ignores_ your settings, but, rather, people
assumed things were more private than they actually are. See people's recent
reaction to the real-time updates of what your friends are doing on Facebook -
many of the people I am friends with where aghast at this, because I don't
think they realized all of that stuff was already public.

Basically, I think the privacy-model on Facebook is complicated, but I think
it's an _inherent_ complexity. It's not complex because Facebook is inept,
it's complex because the problem of determining who in your large social
network should know what is actually a complicated question. That privacy
model is too complicated for people to grapple with every time they share
something on Facebook, so they don't grapple with it. I don't want to grapple
with it, either. Hence, I only share things on Facebook I'm comfortable
sharing with the world. My Facebook page - wall, photos, info, comments - are
all public. Then I have a very simple decision to make: am I okay saying this
to everyone? If not, I don't say it. Hence, I don't say much on Facebook.

The internet is an inherently public place. Facebook puts a megaphone on the
internet.

 _Would you also say that you shouldn't have data on Gmail that you're not
comfortable sharing with the whole world?_

In general, yes, although even I have difficulty with that one. But email is
just plain text (unless you encrypt it, and very few people do) bouncing
around the ether. It's out there, and you have little control over it. Banking
is different, as the information is only shared between you and your bank. Not
so with email, which always has at least one other party involved.

------
JonnieCache
I miss the good old days when I could only send friend requests, not receive
them. I guess clicking ignore every time isn't so hard. It was better back
when people simply could find the "Add Friend" button though, there wasn't any
risk of them being offended.

~~~
rhizome
Facebook friendships have always been symmetrical.

~~~
rhizome
Votes seem to be fluctuating on this, so I'm just going to add qualifications
of "possibly not when it was University-only (i.e. before my time)" or "until
recently" as they've moved to subscription connections and wall propagation
for unconfirmed friendships.

------
D_Drake
I would be wary of anyone calling him/herself a "web security expert" who
tolerates a presence on multiple social networking sites. It speaks of a
mindset not nearly paranoid enough.

------
huggah
A little melodramatic. My father logs into Facebook about once a month. How
can you guarantee that he'll friend you within 24 hours?

~~~
iy56
You can't, really, but if he checks his email more often than once a month, he
may act on the message that says "xxx has added you as a friend, please
confirm."

------
1010100101
"Privacy is a matter of social responsibility."

Privacy is a matter of not using Facebook.

~~~
veb
No. Privacy is what you make it to be. If you don't want someone to know you
like to rub lettuce over your face, don't tell anyone.

The same principal works for real life too.

~~~
1010100101
What if someone wants to tell a few friends about something but doesn't want
to tell all the people working at Facebook, all its clients and potentially
any other Facebook user?

~~~
scott_s
Then don't tell them through Facebook.

If you don't mind Facebook knowing what you said, you can send a private
message.

That may not be a solution that people _like_ , but it's what I do, and I
think it's what we will all end up doing eventually.

~~~
1010100101
"Then don't tell them through Facebook."

And that's the point.

If a current offering such as Facebook is "not a solution that people like",
then that creates an opportunity for a solution that people _do_ like.

Will that opportunity be exploited? If not, why?

~~~
scott_s
I don't think any large, online social network used by lay-people can allow
the kind of privacy control that you (and many others) want. The system just
becomes too complex, and information leaks. I think that we will eventually
adapt to this constraint.

~~~
1010100101
You said: "I don't think any large..."

If someone only wants to tell something to some of their friends, and assuming
"some" is not a large number, does the network have to be "large"?

If so, why?

~~~
scott_s
For lay-people to know about and be comfortable using it, yes, I think it has
to be a part of a large service.

There are ways to share secrets with a small number of friends online, but
even among technical people, very few people do it. I can see that it's
possible to create a service around, say, PGP encrypted messages, and I can
even see abstracting out the technical details of it. (That is, not forcing
the users to think about keys, instead saying "Tell us who you want to be
allowed to know the secret" and making and distributing public-private keys on
the fly.) But I think even that level of conceptual overhead is more than lay-
people are willing to deal with.

~~~
1010100101
You said: "I think it has to be a part of a large _service_."

My question was about the size of the _network_.

In any event, following your line of thought, do you think it's possible to
have a many _small_, separate networks that were somehow part of a large
service?

Regardless of your answer, does our solution have to be a "service"?

What if it is a "product" that creates small networks as overlays on a larger,
existing network such as the one all your friends are connected to: the
internet?

You said: "I can see that it's possible to create a service around, say,
PGP..."

What if you could see that it's possible to create a service (or product, or
both) around, say, a scheme that involved only a single shared password and a
single shared encryption key? That is, each friend has to remember only two
strings for each network to which she belongs, sort of like, say, a username
and password.

What if you could see that such a scheme might not require logging on and
logging out as frequently as a web-based service such as Facebook?

Would that change your thoughts at all?

You said, when referring to a PKI scheme like PGP: "But I think that [the]
level of conceptual overhead is more than lay-people are willing to deal
with."

I once thought the same thing about Amazon's S3 service. When I saw the
Dropbox product, my thoughts changed.

------
cannibalbob
I need more enemies! I want to try this out!

