UP TO a million Facebook accounts could be vulnerable to an all-too-simple method of email hijacking that requires no programming skills or computer expertise. All you need, it turns out, is patience and someone's expired Hotmail address.
So say security researchers at Rutgers University in Newark, New Jersey. The threat arises, Panagiotis Karras and colleagues say, because Microsoft retires unused Hotmail accounts after 270 days of inactivity and reassigns the email addresses to new users who request them. Facebook, meanwhile, uses an email address as a login. So an attacker can gain access to any Facebook account that uses an expired Hotmail address as a login ? if they know where to look.
To find out if a target's Hotmail address has expired, an attacker can simply send a test email. If a message saying "mailbox unavailable" bounces back, they probably have a viable target. Importing Facebook contacts into Windows Live Messenger makes things even easier, because it automatically tells a user whose addresses have expired.
The attacker can then sign up to Hotmail, ask to be assigned the address and reactivate it. Entering the address into the Facebook login screen and opting for "forgotten password" will trigger Facebook to send an email to the reactivated email address, whereupon the attacker can reset the password and gain full control of an account.
In a test, the researchers successfully gained access to 15 Facebook accounts, but then halted the experiment to avoid "ethical dilemmas" and "potential legal problems". They estimate that attackers could gain access to as many as a million Facebook accounts. This represents a small fraction of the service's one billion accounts.
The team will present the loophole this week at the World Wide Web conference in Rio de Janeiro, Brazil.
Other online services could be similarly vulnerable, but a spokesperson at Google confirmed that the company does not recycle its users' email addresses.
In an email to New Scientist, a member of Microsoft's Hotmail team wrote: "This isn't an issue with either Facebook or Hotmail. When someone stops using their Microsoft account, they should similarly stop having it associated with other internet services."
This article appeared in print under the headline "Expired emails provide easy way into Facebook profiles"
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
Have your say
Only subscribers may leave comments on this article. Please log in.
Only personal subscribers may leave comments on this article
Subscribe now to comment.
All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.
If you are having a technical problem posting a comment, please contact technical support.
paulina gretzky david bowie elvis presley elvis presley Pretty Little Liars Rob Parker Comcast
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.