Facebook Uses Potentially Insecure Encryption for Email
By on June 19th, 2010

It seems like everyone in every nook and corner of the world is after Facebook. Starting with privacy controversy to the recent death warrant against Zuckersberg, Facebook is having a tough time. And to add worries to these woes, we have John Graham-Cumming at http://blog.jgc.org, who has  written a post to show how vulnerable the Facebook mail system is.

facebook

Facebook emails are signed using DKIM.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.   The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

John Graham-Cumming has taken the header of a mail from Facebook. He has then successfully found that it is a RSA public key. On passing this to openssl, he successfully obtained the bit level of the encryption which stands at 512 bit. That makes this technique and the emails sent from Facebook easy to tamper with, sign and send back to the user. Not only that, a hacker can send an email signed with that key making it appear from Facebook.

Facebook has been informed of this and it is expected that they will make some changes to prevent this exploit.

We have kept Facebook really busy over the last few months! The good old saying of “With Great powers comes great responsibilities” is so much true.

Tags: ,
Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
    Warning: call_user_func() expects parameter 1 to be a valid callback, function 'advanced_comment' not found or invalid function name in /home/keith/techie-buzz.com/htdocs/wp-includes/comment-template.php on line 1694
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN