Security researcher shows how to game Facebook's Three Trusted Friends recovery feature

A Brazilian security researcher has shown at a conference how hackers can use social engineering and the new three Trusted Friends password recovery feature to take over a real Facebook profile on the social networking site. The researcher started using LinkedIn, Amazon, and Facebook to try and get another security expert he calls SecGirl to friend him.

The researcher made a cloned account of the manager of SecGirl and sent out 432 friend requests from that cloned account to friends of friends of that manager. Within only an hour 24 of those friends had accepted the request. After that, he took 436 friends and friended them directly using contacts on LinkedIn.

Out of that 14 accepted in an hour. Apparently, it took only 7 hours to trick the SecGirl security expert into accepting the friend request. At that point, the researcher says that you would be able to take over the legitimate account using the Three Trusted Friends password recovery feature. Facebook says this is a violation of the terms of service and notes its other identification requirements if one of those friends suspects the account to be bogus.

[via ArsTechnica]