In November of 2010, Facebook introduced their “@facebook.com” messaging option that gave users the opportunity to create their own facebook.com email address. Currently, all Facebook users have the ability to claim their own facebook.com email address. It’s easily accessible from the “messages” page, if your account has not already been set up for it. While the service is a nice way of communicating with non-Facebook friends via email and the Facebook message dashboard, there are some security issues that open up along with the service.
Facebook accepts incoming email messages for delivery from their MX Record – smtpin.mx.facebook.com (126.96.36.199). These messages are currently being accepted for delivery based on their source IP address and whether or not the address is associated with a PTR record. This is supposed to prevent spoofing, but the mail server only checks the IP for a valid PTR record for that IP, and not if the domain of the sender’s email address matches the IP of the mail server. To fix this, Facebook needs to ensure that a message coming from a gmail.com address is originating from a Gmail mail server. Messages from non-PTR record IP addresses are stopped by the Facebook mail server.
SMTP connection attempt from an IP without a PTR record:
$ telnet 188.8.131.52 25 Trying 184.108.40.206...
Connected to smtpin.mx.facebook.com (220.127.116.11).
Escape character is '^]'.
554 5.1.8 DNS-P3 http://postmaster.facebook.com/response_codes? #dns-p No PTR Record
Connection closed by foreign host.
The Facebook mail server does however allow incoming messages from IPs with a PTR record, which allows us to spoof messages from other users. If you are behind an IP address with a PTR record, you can spoof a message from an external domain to a facebook.com email address.
Currently, Facebook is properly blocking incoming messages spoofing a facebook.com domain. If Facebook gets breached, and their semi-private @facebook.com email addresses are leaked publicly, someone could easily start spoofing messages between users to propagate spam, phishing attacks, and/or malware. Right now, it’s not very hard to guess someone’s Facebook email address based off of their Facebook username, so Facebook needs to implement a filter that ensures the IP address from which a message originates matches the IP address of the MX record for the domain the message claims to come from. This will prove the sender of the message is on the same domain as the address they are claiming to represent. This does not outright remove the risk of spoofing between users, but it’s a good start. Currently Facebook does some notification on suspicious messages. This equates to a small yellow triangle in the right hand corner of the message. It’s not very obvious and could easily be interpreted as “important” or “urgent.”
The above message was sent from my spoofed Gmail address to my @facebook.com address.
It should be noted that Facebook is not the only site that falls victim to SMTP spoofing issues. Many of the social networking sites that allow users to accept emails as messages may be vulnerable to the same issues.
PTaaS is NetSPI’s delivery model for penetration testing. It enables customers to simplify the scoping of new engagements, view their testing results in real time, orchestrate faster remediation, perform always-on continuous testing, and more - all through the Resolve™ vulnerability management and orchestration platform.
We help organizations defend against adversaries by being the best at simulating real-world, sophisticated adversaries with the products, services, and training we provide. We know how attackers think and operate, allowing us to help our customers better defend against the threats they face daily.
At NetSPI, we believe that there is simply no replacement for human-led manual deep dive testing. Our Resolve platform delivers automation to ensure our people spend time looking for the critical vulnerabilities that tools miss. We provide automated and manual testing of all aspects of an organization’s entire attack surface, including external and internal network, application, cloud, and physical security.
Our proven methodology ensures that the client experience and our findings aren’t only as good as the latest tester assigned to your project. That consistency gives our customers assurance that if vulnerabilities exist, we will find them.