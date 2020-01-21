What have APT20 hackers done? Bypass 2FA

A new article entitled “The Chameleon Attack: Manipulating Content Display in Online Social Media,” has been published by academics from Ben-Gurion University of the Negev (BGU), Israel, suggesting that inherent errors in social networks can lead to form of “Chameleon” attack.

The team, consisting of Aviad Elyashar, Sagi Uziel, Abigail Paradise and Rami Puzis of the Telekom Innovation Laboratories and Department of Software and Information Systems Engineering, says that shortcomings in how mail systems are used on Facebook, Twitter and LinkedIn as well as other social media platforms can be exploited to tamper with user activities in a way that can be “completely different, harmful and potentially criminal.”

According to the research published on arXiv.org, an interesting design flaw – instead of a security vulnerability – means that content including messages can be edited and changed without informing users who have liked or responded to any shifts.

Content that also includes redirect links, shortened for brand management purposes and to take into account word count restrictions, may be susceptible and subject to change without notice.

During experiments, the researchers used the Chameleon method to change publicly posted videos on Facebook. The number of responses and such has remained the same, but there are no indications of changes made available to anyone who has previously interacted with the content.

“Imagine watching a fun kitty video in your Facebook feed and ‘liking it’ and a day later a friend calls to find out why you ‘liked’ an ISIS video,” Dr. Rami Puzis, a researcher at the BGU department of software and information system technology. “You log in again and notice that there is indeed a ‘like’ there. The consequences of indicating support by liking something that you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. US) from employers, friends, family or government enforcement that is unaware of this scam on social media , can cause damage within a few minutes. ”

Scams first come to mind, but in a world where propaganda, fake news and troll farm rages over social networks – Russia’s alleged interference in the previous US elections is a good example – as well as the close ties between our physical and digital identities, these Design weaknesses can have serious consequences for users.

In a hypothetical attack scenario, the researchers say that a target can be selected and exploration can be conducted via a social network. Acceptable messages and links can then be created to “build trust” with an unconscious victim – or group – before the switch is made through a Chameleon attack, quickly changing the visible find likes and comments of the target to relate to other content.

“First and foremost, social network chameleons can be used for shaming or accusation, as well as to facilitate the creation and management of fake profiles in social networks,” says Puzis. “They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator.”

When the team contacted us, Facebook dismissed all concerns and labeled the problem as a phishing attack and therefore “such issues are not eligible for our bug bounty program.”

The LinkedIn team has started an investigation.

However, both Facebook and LinkedIn have a partial limitation if an icon is set when content is edited after publication.

Twitter said the behavior was reported to the microblogging platform in the past and said, “Although it may not be ideal, we do not currently believe that this involves a greater risk than the ability to tweet a URL because the content of a webpage can also be changed without warning. ”

WhatsApp and Instagram are generally not susceptible to these attacks, while Reddit and Flickr are.

“People on social media today make a judgment in seconds, so this is a problem that needs to be resolved, especially before the upcoming US elections,” says Puzis.

The research will be presented in April at the web conference in Taipei, Taiwan.

