Insecuriy of Facebook Security questions....

[Nortcele]

Okay so this is something I presume most of you know about but this does make me rather worried/entertained about how easy it can be to access someones Facebook account my simply changing the password...

So when you forget your facebook password you are usually give the option to receive an Email or a Cal/Text to confirm your identity.

But if you dont have access to these (if you have set up a security question) you can clikc 'No longer have access to these' and you can input your answer and voila you have confirmed your identity.

Now this is where its gets fairly insecure, If the question is simply 'What street did you live on when you were 8 years old?' Its not difficult to do a search to find a home address and this is similar to many of the questions, with basic Social Engineering you can have access fairly easily.

There is a 24 hour wait but this usually is no problem.

Any thoughts on how insecure social media is?

[Will add pictures as proof of concept if requested]

[Killeramor]

As all the Jocks say, "Pics or it didn't happen."

[Nortcele]

I can't find the pics I had, if you have a look online I'm sure you will find what I'm on about

[lady__godiva]

What you are talking about is true. It's up to the user choosing an answer which isn't easy to guess. You are talking specifically about Facebook, but this is something that actually happens on most websites. More over i find interesting the most admins won't allow you (correctly) to bruteforce the login username/password, but will overlook how security question can be bruteforced instead.

So yea, security question relies too much on the user itself, which is a negative thing.

[FinalFrontier]

Fuck the system, my favorite teacher isn't PieCat

[HTH]

Honestly guys this is nothing new, major, groundbreaking, etc. This was considered a skiddy fast n dirty way to access an email/facebook/etc like... 6-7 years ago? It still works of course because people need a way to reset account info, can you imagine if every idiot who forgot their password had to call facebook/google/apple directly? But it only gets you access to old info, you dont learn the password, and worst of all, it leaves tracks EVERYWHERE.

[hypothetical]
I mean yes, when I needed to reset an iphone my sister had bought in her infinte wisdom from some random pawnshop... and it was still password protected and had its old phone number.

I did simply reset the password to the email, so i could reset the password for apple ID, then clean up my tracks as best I could, and trusted that it was some dumb hick who would just assume he forgot his password.
[/hypothetical]
BUT, I wouldn't consider it for anyone who had even half a brain.

[silenthunder]

LOL "I'll add pics if you ask"......"nevermind can't find them"

[proxx]

Junk thread, closed.