[perihelions]

I don't understand how the attack works. Does the workflow for enabling, or changing, Facebook email PGP keys not include an email verification step? Or is that being circumvented in some way?

[im3w1l]

Even email verification might not be enough. Consider the following scenario

1. Attacker somehow gets control of email

2. Attacker uses email to "recover" facebook.

3. Attacker uses email to add pgp.

(time passes)

4. User realizes facebook and email are taken over

5. User somehow recovers email

6. User tries to recover facebook using email but is unable to

[repelsteeltje]

It's just a DoS attack. If valid PGP pubkey is added to account, the account recovery email becomes useless because it's encrypted gibberish that cannot be deciphered unless you have PGP private key.

[perihelions]

Can you associate a PGP pubkey to an email address, in Facebook's workflow, without verifying access to that address?

[repelsteeltje]

Not sure, I don't use Facebook. I suppose that if you have access to the account and are able to associate PGP, you might as well change the recovery email address too if hacker doesn't already have a way to read it.

[citrin_ru]

A new key can (should) be activated only if a user can confirm that they can read messages encrypted with this key sent to a configured account recovery email.