Monday, July 2, 2012

Facebook Email and the Built-In Spoofing

When I wrote that social networking could be used to make email more secure, I wasn’t thinking of the man-in-the-middle attack over the weekend that has Facebook users cringing this morning. For those who missed the story, the latest change at Facebook makes it hard to find users’ email addresses (going so far as to delete address books on some users’ phones) and impossible to determine the true origin of an email message sent to a Facebook account. This is the opposite of what I was talking about.

I am not on Facebook myself, but based on what I am hearing, it is now ludicrously easy to send an email message to a Facebook user’s account and have it appear to be from one of the user’s friends. You do this by spoofing a return email address the friend has registered with Facebook. The new Facebook email system, installed in stages since Friday, strips out both the actual origin of the message and its spoofed return address and presents the message to the recipient as if it had been sent by the friend from inside Facebook. I have not heard any stories of criminal organizations actually exploiting this feature of the Facebook email system yet, but surely it is just a matter of a day or two before that starts happening. Facebook has literally built spoofing into its new email system, and by doing so, Facebook is making spoofing an unavoidable part of the user experience. From now on, whenever you get any message on Facebook, you will have to stop to ask whether it really comes from your friend, or whether it might be from a criminal organization instead.

Meanwhile, users say real email messages have gone missing. The objective of social network email done correctly is not to make email more open than Internet email, but to make it more of a closed system, so that recipients can have greater confidence in the origin of messages. Facebook is doing it all wrong.