Facebook recently unveiled a new feature to recover your user name and password with the help of three other friends’ called the “Trusted Feature”.
Facebook has been rolling out some important changes to their Privacy setting for the users and recently they have introduced a new feature called ‘Trusted Friends’. The Trusted Friends feature allows the user to re-gain access to his account by getting the security code they generate from three of his/her’s trusted friends. The new feature has been in testing for a while and I have used it two or three times to just test it.
Though the feature is considered to be providing some reliable security feature for the users to recover their password, this might turn out to be a major risk if you make the slightest mistake of accepting two or more friends whom you do not know. I hope you already have got a good picture of what I am going to talk about.
Yes! As you expect, when three of your friends decide to compromise your account, their task is going to be really very easy. All they have to do is, just trigger the Forgot Password request, and then in the process, select their own names as Trusted Friends, and have your password sent to one of their accounts. Which in-turn would compromise your account, exposing the new system-generated password to your friends.
This being one of the cases, the other could be a user-made mistake. When a user accepts three or more accounts, which can turn out to be Spam accounts, or just accept friend requests who they really don’t know to increase the friends count, he is on the risk zone. The exploiter can use these two accounts to compromise your account as I just said above.
The method seems to be successful for almost 90% of the time and is not really a tough job to compromise an account by creating a Fake account and making your friend accept it.
On talking to Facebook regarding this, they told that people can use Trusted Friends to regain their passwords only from friends who are more than 6 months old in your friend’s list. Which obviously looks reasonable, but I have seen a lot of people who have had some accounts in their friends list they’d ever known. The team had already thought of this issue and they believe that this would be a useful feature for many who lose control of their account sometime.
Moreover, concentrating on the other vulnerability on Facebook, there’s also another exploit which would enable you to attach a .EXE file to the URL and expose the other user’s password on accessing it. I’m still waiting for a response from the Facebook team regarding this.
I think Facebook should reconsider this feature’s life span. This might encourage many users to compromise their friends’ accounts with ease.