Facebook Uses Potentially Insecure Encryption for Email

It seems like everyone in every nook and corner of the world is after Facebook. Starting with privacy controversy to the recent death warrant against Zuckersberg, Facebook is having a tough time. And to add worries to these woes, we have John Graham-Cumming at http://blog.jgc.org, who has  written a post to show how vulnerable the Facebook mail system is.


Facebook emails are signed using DKIM.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.   The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

John Graham-Cumming has taken the header of a mail from Facebook. He has then successfully found that it is a RSA public key. On passing this to openssl, he successfully obtained the bit level of the encryption which stands at 512 bit. That makes this technique and the emails sent from Facebook easy to tamper with, sign and send back to the user. Not only that, a hacker can send an email signed with that key making it appear from Facebook.

Facebook has been informed of this and it is expected that they will make some changes to prevent this exploit.

We have kept Facebook really busy over the last few months! The good old saying of “With Great powers comes great responsibilities” is so much true.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.