Facebook Uses Potentially Insecure Encryption for Email

It seems like everyone in every nook and corner of the world is after Facebook. Starting with privacy controversy to the recent death warrant against Zuckersberg, Facebook is having a tough time. And to add worries to these woes, we have John Graham-Cumming at http://blog.jgc.org, who has  written a post to show how vulnerable the Facebook mail system is.


Facebook emails are signed using DKIM.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.   The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

John Graham-Cumming has taken the header of a mail from Facebook. He has then successfully found that it is a RSA public key. On passing this to openssl, he successfully obtained the bit level of the encryption which stands at 512 bit. That makes this technique and the emails sent from Facebook easy to tamper with, sign and send back to the user. Not only that, a hacker can send an email signed with that key making it appear from Facebook.

Facebook has been informed of this and it is expected that they will make some changes to prevent this exploit.

We have kept Facebook really busy over the last few months! The good old saying of “With Great powers comes great responsibilities” is so much true.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at TomsVPN.com. You can connect with him on Twitter @ckandroid.

  • DKIM is not an encryption system at all; it is a digital signature. While it would be better for Facebook to use a longer key or to rotate their signing keys more frequently, there are a great many domains that are not yet signing with DKIM at all. It would be more productive to focus on those domains first.


    The front page on Facebook has started including the user's email address in the source code. This page is sent using the insecure HTTP protocol inviting a hacker to obtain millions of valid email addresses of Facebook users!!