The 0-Day Interviews: 18 Year Old Hacker Plays Facebook, Lives to Tell the Tale
Two weeks ago, an 18 year-old security researcher named Suriya Prakash came across a feature in the Facebook search system that allows practically anyone to automate the harvesting of usernames, people names and – the missing link – phone numbers associated with the account.
The announcement sparked intense debate about whether this was a bug or a feature. The release of the proof-of-concept code also raised some concerns about the state of ethical security research, and its implications for users and companies. We contacted Suriya for the personal side of the story: who he is, what he usually does and what would have done differently if he were a Facebook engineer.
H4S: How does an 18 year-old tech enthusiast get to “crack” Facebook?
SP: Well, security research is nothing new to me. I have been in the field for about 2 years and have done some previous research. I consider myself a newbie and learn something new every day. I also did some research on botnets, but my discoveries wouldn’t have been possible without my friends Indishell and XR who have always been with me. And not least, kudos to Google – hackers’ best friend.
H4S: Tell us more about yourself.
SP: I am 18 years old and I live in Coimbatore, India. I am currently doing my A levels and hope to join a collage in 2013. Have all the “problems” of a “regular” teenager. I’m also a big Linkin’ Park fan and a Linux lover. I am currently working with http://cybersecurityprivacyfoundation.org/, a new, non-profit organization comprised of an enthusiastic and genuine bunch of people.
H4S: Speaking of crackers and hackers, everybody has a favorite drink. What’s your “code red”?
SP: My favorite drink is de-fizzed cola with insane amounts of instant coffee in it (still haven’t found a name for it).
H4S: What are your opinions about responsible disclosure of a zero-day bug? Do you believe that users should be educated at any costs, or do you believe that, without any pressure from the media, companies won’t take the discovered flaw seriously?
SP: I sort of have my own morals and guidelines on what makes “responsible disclosure”. But I believe I gave Facebook enough time and they didn’t even acknowledge the bug. I have had better responses from sites that get less than 1000 visits a day. Facebook REALLY needs to get the security section straight, and his is not only my opinion, it’s something the other people who worked with FB before agree with. But like I mentioned on my blog “I really wish it did not come to a public disclosure, but they left me no other choice”.
Without the media making this a big thing, it would have taken aeons for Facebook to fix it. Sometimes public disclosure does more good than bad (like in this situation in which many people who didn’t even know this privacy option existed, got to know about it and made the proper adjustments).
H4S: What’s your opinion about how Facebook handled the situation? When initially asked, by journalists, Facebook stated that they had limitations set in place to prevent abuse, yet you managed to grab no less than 10k numbers. Do you think they lied?
SP: Well, you saw and tried didn’t you? Many other people in the field tried it and it WORKED! And the method of exploitation was simple enough. In my opinion, Facebook is “a stranger to the truth”. And to sum things up, they handled the incident poorly.
H4S: What do you think Facebook should have done to keep the feature, but also preserve the privacy of its users? If you were to implement such a feature, how would you do it?
SP: First of all I would not default this setting to “Everybody” – one should always consider the user an ignorant person and not look at them from a coder’s point of view. I’d also implement two different settings for Email and Phone, as most people leave their emails around everywhere but a phone number is more private. A static auto-generated image result that does not show the data in the source code would have also helped mitigate the threat. And, on top of that a simple CAPTCHA would have rendered my exploit useless.
H4S: How do you think this potential privacy breach can be exploited in the wild? Do you have any scenarios in which an attacker could actually benefit from the collected numbers and accounts?
SP: I had a few reports in which people used this to crawl corporate phone numbers. But I don’t think it was exploited to its full extent and Facebook fixed it. This would be VERY helpful in a spear phishing attack in which a person’s Facebook account details would make the attack easier.
H4S: You’re in your junior days. Have you considered making a career in vulnerability research or other related field?
SP: I am not good at anything else, so computer security is the way to go.
H4S: Are you currently looking into other aspects of Facebook’s security systems? If yes, can you share with us?
SP: I am now working with them to fix all the holes in the filters and find other possible areas for this kind of attacks and invasions. That’s all I can say for now. ;)
But speaking of motivations, many people asked me what I did with the data I harvested during the exploitation POC session. I can assure them that I will NEVER release ANYONE’S data. It’s safely stored using the highest levels of encryption and will probably be destroyed sometime later.
This is Suriya, probably the world’s youngest hacker to have ever come across a vulnerability of this magnitude. You can check the entire story on Suriya’s blog, follow him on Twitter or befriend him on the very social network that fell victim to his sheer curiosity.
Over and out, the HotforSecurity team.