If you have ever tried to login to Facebook from a new device, Facebook might prompt you to prove that you are the account holder by identifying photos of your friends.
Recently I needed to gain control of an account that was not mine (that I had full authorization to do so) and had to go through this task.
Now, rather than waiting a day for my associate to help me “guess” who the people are in these photos, I decided to do some amateur social engineering and figure it out myself.
Bypassing this verification is ridiculously easy. It goes something like this:
1. Keep the photos that require verification open in one browser window.
2. Open a second browser, preferably in another monitor
3. Use second browser to navigate to Facebook.com
4. Use Facebook’s own search method to search each name given in multiple choice until you compare which photo is the winner.
Lets take a look at some “live” examples that took place less than 15 minutes ago:
This was probably the hardest one. No idea who this girl was, but was able to guess her name without even being friends with her.
This one even easier. Facebook just decided to use this guys profile photo.
Let’s just say I was able to guess 6/6 in about 5 minutes.
For starters I would retire this method completely until FB is able to come up with some sort of fix for this.
In the mean time the biggest way to deter someone from guessing the photos would be to remove the multiple choice option. If the names were not present in the multiple choice, there would be no one to search and attackers would most likely fail this test.
Do I get a $50,000 bug bounty from Facebook now or something?