It has been a long time since my last post. Also i was compelled to write this post because of the very easy yet serious nature of this exploit. Which goes unnoticed most of the times. I did compromise almost 17 accounts (6 linkedin, 11 facebook). Some of them my close friends and some i just knew their name. In all instances at the end it was conveyed to the individual, that they should take cognizance of this risk. All they were doing was having a conversation with me phones locked, left their phones unattended although it was locked. Yes you heard me right “Phones locked” and I don’t know their passwords.
So you might be wondering how did i compromised their account. Let me break this down. In both iOS and Android most of you would have seen that you get notifications when someone views your profile, sends you a message, tags you on a picture. Apps like facebook, linkedin and many more relies on something called “Push Notification” to send out notifications. So that you engage yourself back in the app. When these notifications are pushed to your phone they are seen on something called a “Notification Center”. You can view the “Notification Center” even if the device is locked.
In our case what i’m doing is hopping on to facebook or linkedin. Then I’m telling facebook or linkedin i’ve lost my password and i would like to reset it on someone’s behalf. In this scenario what it does is looks up for the password reset options. The reset option using phone comes up on the top. When you select the reset using phone option. A notification is pushed to your victims phone with a security code to reset his/her password. Although your victim’s phone is locked if he/she is engaged in a conversation with you, left the phone unattended. You can still see the notification even though its locked. The probability of this happening with you will be 5/10. That’s all its required if someone thinks of taking over your account. Its a 6 digit code pushed down to the victims phone. You enter that code in the reset page and now you own that account. It’s that simple.
Here is a step by step process. Let’s start with facebook first :-).
As I was writing this post right from my phone. I’m using image that i’ve captured earlier in phone which is exactly same on desktop. All other images i got that on my phone taken as screenshots from my computer. So bear with me for the mix and match 🙂
Let’s look at linkedin now. It took me just 4 steps 🙂
Someone would argue who leaves the phone like that, its not possible. I’m sure you would agree we do that all the time. All we are concerned is whether our phone is locked. 8 accounts that i’ve compromised they were so glued to their computers and the phone was just next to them.
This exploit is serious especially when it works for all other apps. Banking apps are the last thing I’d like to see having this backdoor, Unfortunately they do.
Alright how do we address this? Here is some recommendations
- Always place your phone face flipped down (i.e make sure your phone screen is not apparent to be viewed). Especially at your workplace, coffee-shops, parties.
- The other option is turn-off notifications for apps that you consider sensitive. So if the phone is locked notifications won’t show up in the notification tray, unless you open the app itself after unlocking your phone.
I know most of you hate doing both. So we have another option which we hardly use it. What if the content of notification could only be seen when the phone is unlocked. Guess what this is already there in iOS 11, which wasn’t there in the earlier versions. This is how you can do it https://www.howtogeek.com/252483/how-to-hide-sensitive-notifications-from-your-iphones-lock-screen/. The same goes for https://www.howtogeek.com/253076/how-to-hide-sensitive-notifications-on-your-android-lock-screen/
- Apart from the obvious fix mentioned above. If you are a developer reading this, I’d recommend implementing the security at the application level rather leaving it to the user’s cognitive ability. I believe secure usage of a product is as important as its offerings. Both iOS and android provides mechanism (Refer the Push Notification API docs of iOS & Android) which enables you to hide the content which is not for notification tray or center. It is about applying it in practice 🙂
I hope this helps you understand the risk and how it can be mitigated. Stay tuned! I’ll come back with some more interesting stuff.