Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 27, 2011

Why Facebook's social authentication fails

Just a comment on the latest blog post on security by one of the Facebook engineers.

First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.

Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.

The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
Social authentication illustrated

If you look at the pictures and names used as an example in the Facebook blog, you'll see that you could probably narrow down the candidates to two names pretty quick. A google search will likely reveal which one is correct, just click on the link. I place my bets on Alok.
http://www.google.no/search?q=site%3Afacebook.com+%22alok+menghrajani%22
You'll find the public profile in Google for everyone who has enabled "Public search" in their Facebook privacy settings. For the record, there's also a privacy bug I recently blogged about that makes matters worse — anyone who has commented on or liked a public page can also be found in Google.

That was the scenario of the "hacker on the other side of the planet" attempting to log in to your account. The other scenario is that someone close to you — familiy or friends — attempts to steal your profile. They can also google. In addition they probably know who most of your friends and colleagues are, and what they look like. So, in my opinion there's not much security added by the social authentication scheme.

The privacy failure
Many Facebook users set the visibility of their profile, pictures, and so on to "Friends of Friends" or even tighter with "Friends only". The assumption here is that the people you have narrowed this down to have to log in to Facebook to see your pictures. This gives you some assurance that your content is not made available to strangers. At the first glance, the social authentication is aligned just fine with the privacy settings used by most Facebook users. But if you start thinking about it, you'll realize that there are subtle problems.

When Facebook finds it questionable whether one of your friends is actually signing in herself, they might show a picture of you to be coupled with your name, in order to achieve some extra assurance that everything's in order. In other words: If Facebook is unsure whether it's your friend logging in or a complete stranger who knows your friends password, the'll show a photo of you just to make sure. You didn't intend Facebook to show your photos to strangers, did you. Well, they do — because they're afraid it's a stranger.

To make matters worse, it seems that Facebook selects a random photo you've been tagged in, either by yourself or by other users. One of my colleagues brought this to my attention, as he was confronted with the new social authentication procedure. One of his friends was shown in a picture, taken from a night on the town when the hour was getting late. Nuff said. Maybe not the picture you'd want to show to people when they log in. I won't post the screenshot here for obvious reasons.

Finally, a brief speculation. There's probably a good chance that someone can tag you in a photo, and it'll be used for social authentication irrespective of whether you've seen the photo or not. Speculation ended.

So to summarize, I don't believe that the social authentication adds much (any) security to your Facebook account. On the contrary, it introduces yet another privacy issue for Facebook users.

If you want better security, you should have a look at the one time passwords instead, they were a much better addition. That's what Facebook should use instead of social authentication when they're unsure if it's the correct user they're signing in.

No comments:

Post a Comment

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts