July 16th, 2009

Neko (lofulah)

Bebo oddness

For several days, my bebo account was hijacked - out of the blue, I got an email informing me that my primary email was changed, and then it was verified about 4 hours later. At that point, I couldn't log on anymore, my password was changed. All my personal information was erased, and my birthdate set to April... 15? 16?

After some back-and-forth with Bebo support, I've managed to regain control of my account.

I'm wondering if this is a bot or a targeted attack. I'm the developer of Warbook, so I imagine there might be one or two script kiddies that might think it cool to get into my account.

Current evidence leans towards a bot:
On June 14, 2009, I got an email from Bebo. My registered email address had been changed to benjuang@hotmail.co.uk. This one came at 5:41 PM PST.

I caught this pretty early (within 2 hours of it happening), logged in and changed my email address back and changed the password.

Then on July 12, 2009, I got another email from Bebo. My registered email address had been changed to benjuang@live.co.uk. This one came at 5:33 AM PST.

At 9:39 AM PST, I got another email from Bebo, thanking me for verifying my email address. Oddly enough, this thanks-for-verifying came to my original account email.

When I tried to log on, I found my password had been changed. Contacted Bebo support, and after I replied to their copy-pasted-"how to change your password" message, they replied with:

Thank you for your email and for using Bebo. In order to confirm you are the owner of the profile in question, please send the following details:

* CURRENT USERNAME for the account



* Your NEW EMAIL ADDRESS (it cannot be an email address already registered on Bebo).

Anyways, I have control of the account again, but I don't think I'm going to fill in any of my information. Other than a profile pic, a school, and fixing my date of birth, it can remain blank.

I also asked Bebo if they could add a note to my account, requiring all future email changes to be accompanied by a challenge-response. (ie, they ask me a question that only I would know, I respond with the correct answer). Ideally, this would be built into the system (hint, hint, Bebo engineer. I know you have an office in San Fran. Don't make me write a letter.), so email changing isn't as easy as providing bits of information that's known everywhere. Although I'm also suspecting there might be some sort of XSS attack - I've never bothered deleting my cookies, so there might be a way to trigger an email change if I browse across an evil page, although then the email change shouldn't have happened at 5 AM...

Either way, here's to hoping it doesn't happen again. If it does, I may be deleting my bebo account for good.

Also, the very odd thing is, I have yet to see any malicious activity, other than the deletion of all of my information and the removal of my friends. I haven't received reports of my friends receiving odd communications from my bebo account while it was hijacked either, leading me to wonder if it's actually a bot exploiting some loophole instead of a targeted attack.