Hack A Facebook Account By Exploiting Facebook's Trusted Friend Feature

Facebook is constantly trying to improve their website's security by introducing new security features that would help facebook users to stay safe and secure. We recently published a report that around "83 Million Facebook Accounts Are Fake", therefore facebook is having a tough time improving their services and making it spam free and more secure. One of those important security features that facebook introduced  in late 2011 named "Trusted Friends Feature".

This feature enabled a facebook user to recover his/her facebook account by choosing 3 trusted friends who will be provided a key (code) by facebook and the facebook user would need to call the trusted friends and ask for the codes, Once the facebok user has entered all three of the keys, he would regain access to his/her facebook account.

Exploiting Facebook's Trusted Friends Feature To Hack A Facebook Account:

However this feature can be easily exploited to hack a facebook account, A hacker can easily create 3 fake facebook profiles and add it to victims account, Thus making it simple for a hacker to hack into a facebook account.


However this process is not so simple as it looks, facebook has made this process a bit more difficult by adding certain security measures, Below is the comment of a facebook employee who works on site's integrity team.

Hi my name is Jake and I work on the Site Integrity team at Facebook. The attack described in this article is misleading in that it is relying on the notion that Facebook users will not only get tricked into adding fake accounts as friends, but then they’ll trust strangers with being their Trusted Friends over friends or family or someone the user actually knows. In addition to the fact that we are constantly working to identify and remove fake accounts, the assertion that any that are on the site could systematically trick users into giving them a backdoor into their account is a big stretch.

It should also be noted that Facebook has safeguards in place to prevent attacks such as these. We have detection systems that flag and block not only fake accounts, but friend requests that seem fraudulent (i.e. the sender and recipient do not know each other). We also have systems that detect suspicious logins and block access to your account if a hacker is trying to login as you.

If you have not set Trusted Friends and are trying to go through account recovery, we require you to pick friends from different clusters (e.g. coworkers, classmates, family) specifically to prevent gaming of this recovery process. Furthermore, if the attack vector described in this article, which seems extremely unlikely, were to succeed, a 24 hour lockout period occurs at the beginning of any account recovery done through Trusted Friends. Notifications are sent to any contact information confirmed on the account, giving the user the ability to lock down their account, disavow the recovery and reclaim access to their account.

How To Secure Your Facebook Account

The easiest way of securing your facebook account against this attack is by using a trusted friends:

What are trusted friends?

Trusted friends are friends you can reach out to if you ever get locked out of your Facebook account (ex: you turn on login approvals and then lose your phone, you forget your Facebook password and can’t get into your login email account to receive a password reset). If you get locked out, we’ll send each of your trusted friends a security code. All you need to do is call your friends and collect the codes.

You’ll only need 3 codes to get back into your account, but we recommend picking 5 trusted friends so you have back-up. Your trusted friends should be people you can easily call and who are likely to respond to you quickly.

You can pick your trusted friends from your Security Settings page.

How do I set up trusted friends?

To set up trusted friends:

1. Go to your Security Settings page (Account > Account Settings > Security)
2. Click on the Trusted Friends section
3. Click Choose Trusted Friends
4. Scroll through your friends or search for specific friends
5. Select 5 friends and confirm your choices

Note that you can edit your list of trusted friends from this page anytime.

If you would like to learn the exact techniques which hackers use to hack a facebook account, I would recommend you to take my "Facebook Hacking Course".