Two weeks ago,Â an 18 year-old security researcher named Suriya Prakash came across a feature in the Facebook search system that allows practically anyone to automate the harvesting of usernames, people names and â€“ the missing link â€“ phone numbers associated with the account.
The announcement sparked intense debate about whether this was a bug or a feature. The release of the proof-of-concept code also raised some concerns about the state of ethical security research, and its implications for users and companies. We contacted Suriya for the personal side of the story: who he is, what he usually does and what would have done differently if he were a Facebook engineer.
H4S: How does an 18 year-old tech enthusiast get to â€œcrackâ€ Facebook?
SP: Well, security research is nothing new to me. I have been in theÂ fieldÂ for about 2 years and have done some previous research. I consider myself a newbie and learn something new every day.Â I also did some research on botnets, but my discoveries wouldnâ€™t have been possible without myÂ friends Indishell and XR who have always been with me. And not least, kudos toÂ GoogleÂ â€“ hackersâ€™ best friend.
H4S: Tell us more about yourself.
SP: I am 18 years old and I live in Coimbatore, India. I am currently doing my A levels and hope to join a collage in 2013. Have all the “problems” of a “regular” teenager. Iâ€™m also a big Linkinâ€™ Park fan and a Linux lover. Â I am currently working withÂ http://cybersecurityprivacyfoundation.org/, a new, non-profit organization comprised of anÂ enthusiastic and genuineÂ bunch of people.
H4S: Speaking of crackers and hackers, everybody has a favorite drink. Whatâ€™s your â€œcode redâ€?
SP: My favoriteÂ drink is de-fizzed cola with insane amounts of instantÂ coffeeÂ in it (stillÂ haven’tÂ found a name for it).
H4S: What are your opinions about responsible disclosure of a zero-day bug? Do you believe that users should be educated at any costs, or do you believe that, without any pressure from the media, companies wonâ€™t take the discovered flaw seriously?
SP: I sort of have my own morals and guidelines on what makes “responsible disclosure”. But IÂ believeÂ I gaveÂ FacebookÂ enough time and they didnâ€™t evenÂ acknowledgeÂ the bug. I have had betterÂ responsesÂ from sites that get less than 1000 visits a day. FacebookÂ REALLY needs to get the security section straight, and his is not only myÂ opinion,Â itâ€™s something the other people who worked with FB before agree with. But like I mentioned on my blog “I really wish it did not come to a public disclosure, but they left me no other choice”.
Without the media making this a big thing,Â it would have taken aeons for Facebook to fix it. Sometimes public disclosure does more good than bad (like in this situation in which many people who didnâ€™t even know this privacy option existed, got to know about it and made the proper adjustments).
H4S: Whatâ€™s your opinion about how Facebook handled the situation? When initially asked, by journalists, Facebook stated that they had limitations set in place to prevent abuse, yet you managed to grab no less than 10k numbers. Do you think they lied?
SP: Well, you saw and tried didnâ€™t you? Many other people in the field tried it and it WORKED! And the method of exploitation was simple enough. In my opinion,Â FacebookÂ is “a stranger to the truth”. And to sum things up, theyÂ handledÂ the incidentÂ poorly.
H4S: What do you think Facebook should have done to keep the feature, but also preserve the privacy of its users? If you were to implement such a feature, how would you do it?
SP: First of all I would not default this setting to “Everybody” – one should always consider the user an ignorant person and notÂ look at them from a coderâ€™s point of view. Iâ€™d also implement two different settings for Email and Phone, as most people leave their emailsÂ aroundÂ everywhereÂ but a phone number is more private. A static auto-generated image result that does not show the data in the source code would have also helped mitigate the threat. And, on top of that a simpleÂ CAPTCHA would have rendered my exploit useless.
H4S: How do you think this potential privacy breach can be exploited in the wild? Do you have any scenarios in which an attacker could actually benefit from the collected numbers and accounts?
SP: I had a few reports in which people used this to crawlÂ corporateÂ phone numbers. But I donâ€™t think it was exploited to its full extent andÂ FacebookÂ fixed it. This would be VERY helpful in aÂ spearÂ phishing attack in which a personâ€™sÂ FacebookÂ account details would make the attack easier.
H4S: Youâ€™re in your junior days. Have you considered making a career in vulnerability research or other related field?
SP: I am not good at anything else, so computer security is the way to go.
H4S: Are you currently looking into other aspects of Facebookâ€™s security systems? If yes, can you share with us?
SP: I am now working with them to fix all the holes in the filters and find other possible areas for this kind of attacks and invasions. That’s all I can say for now. ;)
But speaking of motivations, many people asked me what I did with the data I harvested during the exploitation POC session. I can assure them that I will NEVER release ANYONEâ€™S data. Itâ€™s safely stored using the highest levels of encryption and willÂ probablyÂ beÂ destroyedÂ sometime later.
This is Suriya, probably the worldâ€™s youngest hacker to have ever come across a vulnerability of this magnitude. You can check the entire story on Suriyaâ€™s blog, follow him on Twitter or befriend him on the very social network that fell victim to his sheer curiosity.
Over and out, the HotforSecurity team.