A Brazilian researcher has shown it is possible — even easy — to “friend” virtually anyone on Facebook in 24 hours or less.
It’s really simple: Create a new profile by cloning the profile of someone near the intended target, then use that profile to friend the friends of the target and eventually even the target him or herself. Even if the target never agrees to be friended, you’ll still be able to see information only available to “friends of friends,” likely a great deal more than is available publicly.
This social engineering exploit shows how easily personal information can be accessed by those targeting specific individuals and willing to invest a bit of time. Sure, it violates Facebook’s terms-of-service, but that won’t stop those who feel a strong “need to know.” (I am not presenting this as a suggestion, just a warning about whose friend requests you accept.)
Security and online behavior researcher Novaes Nelson designed an experiment to see if he could be friended by a woman who works in web security, who the experiment calls “SecGirl.” His goal was to be added as her friend within 24 hours. He achieved it in only 7 hours.
Here’s how he did it, as reported in UOL Noticias, a Brazilian newspaper. The translation from Portuguese is by Google and cleaned up a bit by me:
To get closer to SecGirl, Novaes literally cloned the profile of a person very close to the the woman — her manager. Using this cloned profile, he requested the friendship of friends of friends of the boss. In just one hour, 24 out of 432 requests were accepted. The remarkable thing is that 96% of people who accepted the friend request already had the true owner of the profile in their list of friends. (The same person was added to the their list two times because they were unaware of the false profile).
In the next hour, the researcher requested the friendship of the manager’s own friends. From 436 applications, the fake profile was accepted by over 14 people — again, they all had the original profile in their contact list and added the clone. In just over two hours, the manager accepted the friend request of the profile that was cloned by Novaes.
SecGirl added the cloned manager profile as a friend 7-and-a-half hours into the experiment. By that time, the profile had accumulated enough friends and friends of friends that it appeared legitimate. SecGirl probably OK’d the friend request without thinking anything about it. In that way, the cloned profile gained access to information only shared with SecGirl’s friends.
“People just ignored the threat that any profile can be added without checking if it is true. New technologies will always be breaches of privacy, but users have to pay attention to this type of failure. Social networks provide amazing things, but the failure, first of all, is human. Privacy is a matter of social responsibility. There is no solution. Right solution is to use the network properly and we are alone in this task,” Nelson told the newspaper (translated).
Nelson said his experiment provides enough information for the attacker to actually take over the target’s Facebook account. It demonstrates the power that social engineering — showing the target what looks like a legitimate friend request, but isn’t — can give criminals.
It used to be that I was pretty much willing to accept any friend request on Facebook. Lately, I have grown suspicious and refuse many requests and am pruning my list considerably. Too many friend requests from profiles that offer little information about my supposed new “friend.” Those are going away quickly.
After reading Nelson’s story, I am thinking seriously of creating a whole new Facebook identity for myself — essentially starting over and being a lot more cautious about who ends up on my friend list and what information I make available. You might want to do the same — or simply accept that everything on Facebook is public information, probably a fair expectation in any case.
No comments:
Post a Comment