Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 27, 2011

Why Facebook's social authentication fails

Just a comment on the latest blog post on security by one of the Facebook engineers.

First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.

Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.

The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
Social authentication illustrated

If you look at the pictures and names used as an example in the Facebook blog, you'll see that you could probably narrow down the candidates to two names pretty quick. A google search will likely reveal which one is correct, just click on the link. I place my bets on Alok.
http://www.google.no/search?q=site%3Afacebook.com+%22alok+menghrajani%22
You'll find the public profile in Google for everyone who has enabled "Public search" in their Facebook privacy settings. For the record, there's also a privacy bug I recently blogged about that makes matters worse — anyone who has commented on or liked a public page can also be found in Google.

That was the scenario of the "hacker on the other side of the planet" attempting to log in to your account. The other scenario is that someone close to you — familiy or friends — attempts to steal your profile. They can also google. In addition they probably know who most of your friends and colleagues are, and what they look like. So, in my opinion there's not much security added by the social authentication scheme.

The privacy failure
Many Facebook users set the visibility of their profile, pictures, and so on to "Friends of Friends" or even tighter with "Friends only". The assumption here is that the people you have narrowed this down to have to log in to Facebook to see your pictures. This gives you some assurance that your content is not made available to strangers. At the first glance, the social authentication is aligned just fine with the privacy settings used by most Facebook users. But if you start thinking about it, you'll realize that there are subtle problems.

When Facebook finds it questionable whether one of your friends is actually signing in herself, they might show a picture of you to be coupled with your name, in order to achieve some extra assurance that everything's in order. In other words: If Facebook is unsure whether it's your friend logging in or a complete stranger who knows your friends password, the'll show a photo of you just to make sure. You didn't intend Facebook to show your photos to strangers, did you. Well, they do — because they're afraid it's a stranger.

To make matters worse, it seems that Facebook selects a random photo you've been tagged in, either by yourself or by other users. One of my colleagues brought this to my attention, as he was confronted with the new social authentication procedure. One of his friends was shown in a picture, taken from a night on the town when the hour was getting late. Nuff said. Maybe not the picture you'd want to show to people when they log in. I won't post the screenshot here for obvious reasons.

Finally, a brief speculation. There's probably a good chance that someone can tag you in a photo, and it'll be used for social authentication irrespective of whether you've seen the photo or not. Speculation ended.

So to summarize, I don't believe that the social authentication adds much (any) security to your Facebook account. On the contrary, it introduces yet another privacy issue for Facebook users.

If you want better security, you should have a look at the one time passwords instead, they were a much better addition. That's what Facebook should use instead of social authentication when they're unsure if it's the correct user they're signing in.

15 comments:

  1. Maybe you should check out this article for some information about phone spy apps and phone tracking apps. It could be very interesting

    ReplyDelete
  2. Thanks for sharing amazing information !!!!!!
    Please keep up sharing.

    ReplyDelete
  3. Are you struggling for a better future for your kids? Read this article and you will know what to do!

    ReplyDelete
  4. Although the shipping company relocates from Jeddah to Syria depends on a large number of packaging materials that the company can pack the luggage and can through it move them from one place to another with the highest potential that they can packaging the luggage properly until it is transported
    شركة نقل عفش

    ReplyDelete
  5. Welcome White guilty pleas to these offences, which have spared the victims the ordeal of a trial. We are pleased to see White appropriately sentenced by the courts for what are very serious offences. A source said White is currently inside a male prison and that is where he will serve his sentence..

    There was fantasy in full MK Outlet Online colour Coach Outlet Online provided by the Government's Best Yeezys pronouncements on everything from the Punjab problem to war threats from Pakistan and. Finally, no posture could have been more film like than that adopted by the fire breathing fanatic, . Rama Rao.

    He says a gentleman came into his shop on February 9th wanting to sell a piece of jewelry he stumbled upon while walking on the Cheap Michael Kors Handbags dried up bed of White River Lake. "The lake was down Ray Ban Outlet about 30 feet from the Coach Outlet Clearance Sale droughts," Oakley said. "He was walking near the water's Jordan Shoes For Sale edge when he saw this Nike Air Force 1 Cheap Outlet black glob..

    ReplyDelete
  6. Wow!! You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the future!!
    Buy gmail pva accounts

    ReplyDelete
  7. There's probably a good chance that someone can tag you in a photo, Someone To Write My Essay For Me and it'll be used for social authentication irrespective,

    ReplyDelete
  8. Hey guys! I would love to recommend you a beautiful service for essay writing and homework! You need some help you can ask this guys for help! They really know how to do it ! Just write essay writing gonerdify service and be ready for help! Good luck!

    ReplyDelete
  9. Adobe Photoshop Lightroom Crack is, without a doubt, the best professional photo workflow software. The software for photography is available in two different applications: the consumer-oriented Lightroom and the more professional-oriented Lightroom Classic that we have reviewed here. Lightroom Classic offers professional photographers the ability to import, organize and edit everything they take. Recent updates have added new pro pre-sets Super Resolution upscaling, Apple Silicon M1 support, live view for Nikon Tethering, local color adjustments, a textured slider, and many more.
    IObit Driver Booster Pro Crack
    Nexus VST Crack
    4K Video Downloader 2022 Crack
    Ashampoo UnInstaller Crack

    ReplyDelete
  10. This blog post about why Facebook's social authentication fails is a thought-read. I really encourage you effort for providing us valuable information. Now read more about 2k database for more information.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts