On Facebook’s social authentication

Recently Facebook added security controls to protect its users against unauthorised access:


It was about time to employ SSL in order to protect the passwords, but the use of “social authentication” creates a false sense of security:

1. CAPTCHA are supposed to distinguish between a machine and a human, not a hacker and a human. Perhaps we should emphasize that hackers are human! Watch out Facebook, you will get Greenpeace on your tail, hackers are not animals :-p

2. The complexity of breaking the social CAPTCHA is linear, or at least it is definitely not exponential. Following point 1 above, a human hacker maintains enough cognitive skills to gather enough information to “break” the challenge. Besides, the person’s characteristics, ethnic background traits etc. form a side channel that help us eliminate some answers (for example from the pictures below the person is less likely to be Nick Wilkerson, Tim Kuper, David Starling) and the probability distribution is not uniform.

Leave a Reply

You must be logged in to post a comment.

Copyright © 2018 Information Security and Incident Response Research Unit. All Rights Reserved.
No computers were harmed in the 0.401 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.