All Your Face Belong to Us: Breaking Facebook’s Social Authentication

Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece;

Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia;

Georgios Kontaxis and Angelos D. Keromytis, Columbia University, USA

OutlineIntroductionHow Social Authentication WorksAdvantages and ShortcomingsAttack Surface EstimationBreaking Social AuthenticationFace Recognition as a ServiceExperimental EvaluationRemediation and LimitationsConclusions

IntroductionFacebook reports over 900 million active

users as of March 2012.In 2011, Facebook has released a two-factor

authentication mechanism, referred to as Social Authentication.

How Social Authentication WorksFriend list

A user must have at least 50 friends.Tagged photos

The user’s friend must be tagged in an adequate number of photos.

FaceSA tests must be solvable by humans within the 5

minute (circa) time window enforced by Facebook.Triggering

the user logs in from a different geographical location.uses a new device for the first time to access his

account.

Advantages and ShortcomingsAdvantages

Facebook’s SA is less cumbersome, especially because users have grown accustomed to tagging friends in photos.

ShortcomingsThe number of friends can influence the

applicability and the usability of SA.Their friends have erroneously tagged for fun

or as part of a contest which required them to do so.

Bypass the SA test by providing their date of birth.

Attack Surface EstimationThe attacker has compromised the user’s credential.Facebook designed SA as a protection mechanism

against strangers.we provide an empirical calculation of the

probabilities of each phase of our attack.P(F) = 47% of the user’s have their friends list public.P(P) = 71% of them (236,752) exposed at least one

public photo album.Attacker can try to befriend the friends of his victim to

gain access to their private photos with a chance of P(B) ≃ 70% to succeed.

Attack Surface Estimation (Cont.)

Breaking Social AuthenticationStep 1: Crawling Friend List

Python’s urllib HTTP library and regular expressionMongoDB databaseGridFS filesystem

Step 2: Issuing Friend RequestsStep 3: Photo Collection/Modeling

Photo collectionFace Extraction and Tag Matching – OpenCV toolkitFacial Modeling – sklearn library

Step 4: Name Lookup

Breaking Social Authentication

Face Recognition as a ServiceFace.comwas recently acquired by Facebook.The service exposes an API through which

developers can supply a set of photos to use as training data and then query the service with a new unknown photo for the recognition of known individuals.faces.detect – identify any existing facestags.save - to label the good photos with the

respective UIDs of their ownersface.trainfaces.recongnize

Experimental EvaluationOverall Dataset

Experimental Evaluation (Cont.)Breaking SA: Determined Attacker

shows the number of pages solved correctly out of 7.

Experimental Evaluation (Cont.)Breaking SA: Determined Attacker

shows the CPU-time required to solve the full test

Breaking SA: Casual AttackerImplementation

11 dummy accounts play the role of victims.Selenium – login these account in a automated

fashion.Tor - take advantage of the geographic dispersion of

its exit nodes.face.com – solved SA test

Result22% (28/127) of tests solved 5-7 of the 7 test pages.56% (71/127) of tests solved 3-4 of the 7 test pages.44 seconds on average

Breaking SA: Casual Attacker (Cont.)In about 25% of the photos face.com was

unable to detect a human face.

in 50% of the photos face.com was able to detect a human face but marked it as unrecognizable.

in the last 25% of the photos a face was detected but did not match any of the faces in our training set.

Ethical ConsiderationWe never took advantage of accepted

requests to collect photos or other private information otherwise unavailable; we solely collected public photos.

Compromise Prevention Users can add certain devices to a list of

recognized, trusted devices.

a user who fails to complete an SA challenge is redirected to an alert page, upon the next successful login, which reports the attempted login.

Slowing Sown AttackerCAPTCHAs may create a technical obstacle to

automated attacks, but they should not be considered a definitive countermeasure.

The presence of suggested names in SA tests is the major disadvantage of the current implementation as it greatly limits the search space for adversaries.

Conclusionson average, 42% of the data used to generate

the second factor, thus, gaining the ability to identify randomly selected photos of the victim’s friends.

Given that information, we managed to solve 22% of the real Facebook SA tests presented to us during our experiments and gain a significant advantage to an additional 56% of the tests with answers for more than half of pages of each test.