New Privacy Threats for Facebook and Twitter Users

Shah Mahmood

Department of Computer Science,University College London,

United KingdomEmail: shah.mahmood@cs.ucl.ac.uk

Abstract—With around 1 billion active users, Facebook andTwitter are two of the most famous social networking websites.One particular aspect of these social networks widely discussedin the news and heavily researched in academic circles is theprivacy of their users. In this paper we introduce six newprivacy leaks in Facebook and Twitter. First, we reveal howan attacker can map users email addresses to their real namesusing Facebook’s account recovery service. This mapping helpsan attacker accumulate more information about the holderof an email address which could then be used to launchtargeted spam attacks. Second, we introduce how an attackercan reconstruct the friendlist of a victim on Facebook, eventhough that user’s privacy setting does not allow the attackerto explicitly view the victim’s friendlist. Third, we show theadditional privacy leaks due to the introduction of Facebook’sTimeline. Fourth, we show how the unprecedented connectivityoffered by social plugins breaches a user’s privacy. Fifth, weintroduce the social network relay attacks. Sixth, we show howan attacker can permanently withhold a victim’s Facebookaccount after the first take over. Moreover, we propose solutionsfor each of these privacy leaks.

Keywords-Online Social Network, Privacy, Facebook, Twitter

I. INTRODUCTION

The use of cloud computing, and in particular online

social networks, has increased explosively over the past few

years. Over 900 million users are sharing various aspects

of their personal and professional lives on Facebook every

month [1]. Almost 230 million users are exposing some

of their spontaneous thoughts as tweets on Twitter [2],

280,000 meetings of like minded people are arranged by

9 million users of Meetup [3], 4 billion videos are watched

on YouTube on a daily average [4], 80 million users are

flicking through pictures uploaded by 51 million registered

users of Flickr [5], around 15 million users have shared their

1.5 billion locations using Foursquare [6], over 90 million

users can hangout on Google+ [7], and almost 150 million

users are sharing their resume’s and being connected to

their professional contacts on LinkedIn [8]. This enormous

level of connectivity, in addition to its positive impact,

has also resulted in incidents of privacy breaches leading

to loss of employment [9], suspension from school [10],

imprisonment, and embarrassment [11]. A woman in Indiana

(US) was robbed by a Facebook friend after she posted

on her Facebook profile that she was going out for the

night [13]. Moreover, according to a survey by Social Media

Examiner, 92% marketers use Facebook as a tool [12].

These incidents’ widespread media coverage and in-depth

academic analysis has resulted in sparking a new interest

in devising technological and sociological mechanisms for

user’s privacy, including the campaign of user awareness.

Even President Obama has advised caution when sharing

data on social networks [14].

“Be careful about what you post on Facebook,

because in the YouTube age, whatever you do will

be pulled up again later somewhere in your life ...”

Numerous technical solutions have been proposed to

(partially) solve the users’ privacy problem in the cloud

environment, e.g. [15], [16]. Unfortunately, the usefulness

of these proposals is limited when flaws lie in the service

providers’ design and users do not have any better options to

choose from. In this paper, we expose several such privacy

flaws which are examples of bad system design for services

used by nearly 50% of the total Internet users. First we

show how an attacker can map a list of email addresses to

their users’ real names (see Section II-A). Mapping email

addresses to real names can be useful for a wide range of

attacks including launching targeted phishing attacks against

the victim or his acquaintances [17]. Second, we show how

a Facebook user’s friendlist can be reconstructed from the

activity on his profile, even if his privacy settings are set

to hide the list (see Section II-B). Third, we identify the

additional privacy leaks caused after the introduction of

Facebook’s Timeline (see Section II-C). Fourth, we discuss

how the seamless connectivity offered by social plugins can

breach the privacy of a user (see Section II-D). Fifth, we

discuss relay attacks in social networks (see Section II-E).

These relay attacks are not limited to Facebook, e.g. can

also be launched using Twitter. Finally, we show how an

attacker can withhold a user from recovering his compro-

mised account (see Section II-F). With current Facebook and

Twitter settings, these attacks can not be prevented. Thus, in

each section after the introduction of the attack, we propose

solutions for them. In Section III we discuss the related work

and finally, in Section IV we conclude the work.

2012 Seventh International Conference on P2P, Parallel, Grid, Cloud and Internet Computing

978-0-7695-4841-8/12 $26.00 © 2012 IEEE

DOI 10.1109/3PGCIC.2012.46

164

Figure 1. Mapping email and phone number to real name and profilepicture in Facebook

II. NEW PRIVACY LEAKS AND POSSIBLE SOLUTIONS

In this section we introduce several new privacy leaks in

Facebook. The social network relay attack can also work in

other social networks. Moreover, we also propose solutions

to prevent these leaks.

A. Mapping email addresses to real names

Email addresses are widely sold, in bulk, for marketing

and phishing attack purposes. These marketing and phishing

attempts are less effective when not personalized [17], e.g.,

using “Dear Sir” is less effective than “Dear John Smith”.

A design flaw in Facebook can help these marketers and

phishers map email addresses to real names (Facebook’s

“terms of use” legally enforce users to only use their real

names on the social network). This mapping can be done in

two ways.

First, an attacker can search the corresponding real names

to the email addresses on Facebook using direct mapping

through the use of search by email feature available on

Facebook. This mapping will only work if the attacker is

within the allowed category of people who can search the

user on Facebook, as users can limit being searched only by

“Friends”, “Friends of friends”, etc. Moreover, to automate

the attack a user will have to use Facebook’s APIs, which

could at times be very restrictive.

The second method will work against any privacy settings

by a user and does not require any Facebook APIs. Here,

an attacker can go to the Facebook’s recovery page1 and

input an email address from the list. If the email belongs

to a registered profile on Facebook, it will return a page as

shown in Figure 1. This shows the real name and a thumbnail

profile picture of the user.

On the other hand, if the email address does not corre-

spond to a Facebook account then the attacker is directed

1http://www.facebook.com/recover.php

Figure 2. Facebook response when an email address does not correspondto a registered account

to the page displayed in Figure 2, which clearly states that

there is no Facebook account corresponding to that email

address.

Attackers can use this mapping to launch other attacks

against users. A user’s email address is their username when

logging into Facebook. It’s revelation enables the attacker to

attempt to hack into the user’s account by either attempting

to answer the user’s secret question (which once set on

Facebook can not be changed) or by guessing the password.Solution: Facebook’s provision of a real name, as

shown in Figure 1, to confirm the email address of a user

for account recovery is not necessary. As, users can only use

their real names on Facebook and it is rare that a user will

forget his real name, thus, instead of providing a user with

the real name and asking for confirmation, Facebook should

ask a user to provide his real name in addition to his email

address. This way marketers and phishers will not be able

to map emails to real names using Facebook.

B. Reconstruction of a friend’s friendlist

For added privacy, Facebook users have the option to

restrict who can view their friendlist, but, this does not mean

a friend attacker2 can not reconstruct that user’s friendlist.

For at least a partial reconstruction, a friend attacker can

enumerate the names/ user IDs of all the users who comment

on posts visible to friends only. In Figure 3, even though the

user’s friendlist is not visible to the author, we are able to

find the names of at least four friends of the victim3. One

friend has commented on the post and the other three have

liked it. By analyzing more posts, over a longer duration of

time, an attacker can find the names and user IDs of more

friends of the victim.

Similarly, when a user is tagged in a photo, we can see the

name of the person who tagged the user by rolling the mouse

over their name. It displays “Tagged by” and the tagger’s

name. As, only a user’s friends are allowed to tag them on

Facebook, this also helps in reconstructing the friendlist.

2A friend attacker is an attacker who is a friend on Facebook.3The author’s friend was asked for permission and has kindly agreed to

use their post in this paper.

165

Figure 3. Reconstructing friendlist on Facebook from wall posts

Moreover, Facebook does not allow users to hide their mu-

tual friends. The names of mutual friends can also be added

to the being-reconstructed list of the victim’s friendlist. This

way the attacker can reconstruct a very significant part of a

user’s friendlist.

Solution: If a user does not want his friendlist to be

visible to his friends, then Facebook should not display that

user’s mutual friends. Also, when a user views the wall

of a friendlist-hiding friend, the comments and likes by

other friends in the friend’s view should be anonymized.

For example, when the profile owner sees the comments it

could be “John Smith” commented hi, but when his friend

views it, it should be “A friend” commented hi. Similarly

the photo taggers should not be visible for such users. This

way, it will be much harder for anyone to reconstruct the

friendlist of that user. Of course, the anonymization of other

contributing users’ names on a friend list hiding a user’s

profile will complicate the flow of conversation between

his multiple friends, but that is the tradeoff between better

privacy and ease of communication. Alternatively, a specific

list of highly trusted friends could be allowed to have the

non-anonymous view of the friend comments again at the

cost of leak of information to them.

C. Curse of the Timeline

Timeline, a new virtual space in which all the content of

Facebook users are organized and shown, was introduced

on December 15, 2011 [18]. In addition to re-organization

of users’ content, Timeline comes with some default and

unchangeable privacy settings. Firstly, it is no longer possi-

ble for a Facebook user to hide their mutual friends, which

was possible before Timeline. The impact of revelation of

mutual friends has been discussed in the previous section.

Secondly, it is not possible to limit the public view of “cover

photos”. These cover photos could be a user’s personal

pictures or political slogans and their widespread sharing

may have various short term and long term consequences

for that user. Thirdly, with the Timeline, depending on the

users’ privacy settings, if the likes and friendlist of a user

are shared with a list of users, then that list of users can

also see the month and the year when those friends were

added or when the user liked those pages. This will allow

an attacker to analyze the sentiments and opinions of a user,

e.g. when did a user start liking more violent political figures

and unlike the non-violent ones. Finally, with the Timeline,

if a user makes a comment on a page or a group, he does

not have the option to disable being traced back to the

profile. Before the Timeline, a user could make themselves

searchable by a specific group (e.g. “Friends” or “Friends

of friends”, etc. ) and even if they commented on pages

and groups, people outside those allowed groups would not

be able to link back to the commenters profile. Facebook

can solve these problems by allowing users to change the

settings to share their content with their desired audience.

D. Curse of social plugins

In April, 2010, Facebook launched its social plugins to

integrate other websites into Facebook. Since, its launch

over 2.5 million websites have used social plugins. Using

social plugins, websites can allow users to comment on

their content using their Facebook accounts. Moreover, it

enables seamless sharing of content from other websites to

Facebook. Although there are a large number of marketing

benefits of social plugins, they have also created new privacy

problems for users. One of the biggest adverse effect for

a user is the fact that their activity can be traced back to

their Facebook profile. Figure 4 shows an example of such

a privacy problem. The users have commented on a news

article published by a Japanese news paper. Here Wataru

Iwamoto has commented on this article when Reiko Mihara

shared it on his Facebook profile. Wataru did not agree for

his comment to be displayed on a publicly visible website.

Due to their comments’ public visibility now their opinions

regarding the topic are visible to anyone who can view the

article on the website and they are traceable back to their

profiles for the inquirer to find more details about them.

This tracing has the potential of various short and long term

consequences for users.

Again, this problem can be prevented by Facebook

through limiting the view of the comments from public

websites and making the comments of users visible only

on the user walls or fan pages where they have originally

commented. Moreover, those users who comment on public

forums using their Facebook accounts should be given with

the possibility to disconnect the link ability to their accounts.

E. Social network relay attacks

Prior research has shown the ease of cloning profiles on

Facebook [19]. Similar methods can be used to clone profiles

166

Figure 4. Social Plugins on a Japanese news website

on Twitter and other social networks. Another variant of the

cloning attacks can be a relay attack. In a relay attack, (1)

the attacker gets access to the social network content shared

by the victim, (2) he creates a new profile with the same

name as the victim, (3) he relays the victim’s messages. To

avoid detection by the victim, the attacker from the fake

profile blocks the victim, thus, the victim will no longer be

able to search the attacker on the social network. To further

reduce the chance of detection, the attacker can block all

current friends/followers of the victim, thus no one in the

current online social circle of the victim will know about the

existence of the attacker. This attack seems innocent if the

attacker only relays the exact messages by the victim to a

subset of his approved audience, but, it becomes malicious

when the attacker starts sharing the content beyond his

approved audience. Moreover, the attacker may selectively

add, delete or modify messages and share them with any

audience. In the case of Twitter, it is easier to launch this

attack, as a user’s tweets are mostly public, but for Facebook

the attacker needs to be a friend of the victim to get access

to most messages. Thus, he may use social bots or a targeted

friend attack to become friends in the first place [20], [21]

and then launch the attack. This attack can be used to achieve

many goals, for example, in a political scenario, it can be

used to damage the reputation of a rival or misinform his

audience.

Solution: When a user loses access to their account

as a result of forgetting the password or their account

being hacked, Facebook verifies a user with some acceptable

Figure 5. Documents that Facebook requests for account verification

documents as shown in Figure 5, in order to re-grant him

access to his account. These documents include a user’s

passport and driving license. Such documents are hard for an

attacker to fake because of the technical difficulties and legal

penalties. Moreover, when a user provides these documents

to prove their identity to Facebook or any other social

network, it is not a breach of privacy as the act is willfully

done by the user.

Similar verification can be offered by social networks to

prevent relay attacks. Any user who has been verified could

be provided with a “Verified by the service provider” for

the real name and other attributes on the profile. If the

original profile has a certificate of authenticity, it will be

harder for relay attackers to launch the attack without raising

suspicion. In essence, the social network will have to act as

a certification authority.

F. Permanent take over of a Facebook account

Facebook allows a user to recover their compromised

account using several verification mechanisms, but, they all

fail if the attacker changes the name of the victims account

and attach a new account to the victim’s email address used

to login to Facebook. Thus, the attacker can lose the decoy

account created with the victims email attached while having

a permanent take over of the victim’s real account.

Solution: Facebook should not allow associating used

email addresses with new accounts. This will prevent the

permanent over take attack.

III. RELATED WORK

Risks and threats to users’ personal data on social net-

works is widely researched over the past few years. Gross

et al. [22] performed one of the earliest studies to identify

potential threats including: identity theft, embarrassment and

stalking, to the user of social networks. Bonneau et al. [23]

showed that the public listing of eight friends in Facebook

public search leads to revealing much more than just limited

information. Dhingra and Bonneau independently provided

167

limited hacks into Facebook photos [24], [25]. Felt [26]

presented a cross-site scripting vulnerability in the Facebook

Markup Language which allowed arbitrary JavaScript to be

added to the profiles of the users of an application, which

lead to session hijacking. Polakis et al. [17] showed how

names extracted from social networking sites can be used to

launch personalized phishing attacks, which are much more

successful than traditional phishing. Mahmood and Desmedt

presented the deactivated friend attack, utilizing which, an

attacker can have indefinite access to their victim’s personal

information [21]. Using targeted friend requests, they were

added as friend’s by 62% of their victims. They also pro-

vided the first preliminary study of Google+’s privacy and

its comparison to Facebook [27]. Boshmaf et al. [20] used

socialbots to demonstrate the breaching of user’s privacy

on Facebook using the botnet model. Socialbots have been

previously used by criminals and are sold online for as little

as USD 29. They created 102 socialbots to make friends with

3055 Facebook users in eight weeks with a success rate of

35.6%. Bilge et al. [19] showed the ease of launching an

automated identity theft attack against some popular social

networks by sending friend requests to friends of a cloned

victim.

Chabaane et al. showed the implicit leak of information

through the likes and interests of users on Facebook [28].

IV. CONCLUSION

In this paper we exposed several new flaws in Facebook

and Twitter. These include the possibility of an attacker map-

ping email addresses to real user names, the possibility of

reconstructing a user’s friendlist even if his privacy settings

are set to hide it, and the new privacy flaws introduced with

the introduction of Facebook’s Timeline and social plugins.

Moreover, introduced relay attacks in social networks and

how their use could result in privacy breaches. For an

attacker with a compromised account of a user, we presented

a mechanism to permanently take it over. We also provided

solutions to each of the privacy leaks/ attacks we exposed.

REFERENCES

[1] “Facebook statistics,” http://newsroom.fb.com/content/default.aspx?NewsAreaId=22, accessed: May 16, 2012.

[2] C. Taylor, “Social networking ‘Utopia’ isn’t coming,” CNN,June 27, 2011.

[3] “About Meetup,” http://www.meetup.com/about/, accessed:Feb. 20, 2012.

[4] YouTube, “YouTube statistics,”http://www.youtube.com/t/press statistics, accessed: May 16,2012.

[5] “Flickr,” http://advertising.yahoo.com/article/flickr.html, ac-cessed: Feb. 20, 2012.

[6] “Foursquare,” https://foursquare.com/about/, accessed: Feb.20, 2012.

[7] E. Barnett, “Google+ hits 90 million users,” The Telegraph,Jan. 20, 2012.

[8] “Linkedin,” http://press.linkedin.com/about, accessed: Feb.20, 2012.

[9] T. Monkovic, “Eagles employee fired for Facebook post,” NewYork Times, March 10, 2009.

[10] J. Bonneau, J. Anderson, and G. Danezis, “Prying data outof a social network,” in ASONAM, 2009, pp. 249–254.

[11] D. Barret and M. H. Saul, “Weiner now says he sent photos,”The Wall Street Journal, Jun. 7, 2011.

[12] M. Stelzner, “Social media marketing industry report,”http://www.socialmediaexaminer.com/SocialMediaMarketingReport2011.pdf, 2011.

[13] D. L. Michael Henderson, Melissa de Zwart and M. Phillips,Will u friend me? Legal Risks of Social Networking Sites.Monash University, 2011.

[14] “Obama advises caution in use of Facebook,” AssociatedPress, Sep. 8, 2009.

[15] S. Mahmood and Y. Desmedt, “Usable privacy by visualand interactive control of information flow,” in TwentiethInternational Security Protocols Workshop, 2012.

[16] ——, “Two new economic models for privacy,” in SIGMET-RICS Performance Evaluation Review, 2012.

[17] I. Polakis, G. Kontaxis, S. Antonatos, E. Gessiou, T. Petsas,and E. P. Markatos, “Using social networks to harvest emailaddresses,” in WPES, 2010, pp. 11–20.

[18] “Facebook Timeline,” http://www.facebook.com/about/timeline,accessed: May 16, 2012.

[19] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, “All yourcontacts are belong to us: automated identity theft attacks onsocial networks,” in WWW, 2009, pp. 551–560.

[20] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu,“The socialbot network: when bots socialize for fame andmoney,” in ACSAC, 2011, pp. 93–102.

[21] S. Mahmood and Y. Desmedt, “Your Facebook deactivatedfriend or a cloaked spy,” in PerCom Workshops, 2012, pp.367–373.

[22] R. Gross, A. Acquisti, and H. J. H. III, “Information revelationand privacy in online social networks,” in WPES, 2005, pp.71–80.

[23] J. Bonneau, J. Anderson, F. Stajano, and R. Anderson, “Eightfriends are enough: Social graph approximation via publiclistings,” in SNS, 2009.

[24] A. Dhingra, “Where you did sleep last night? ...thank you, ialready know!” iSChannel, vol. 3, no. 1, 2008.

168

[25] J. Bonneau, “New Facebook photo hacks,”http://www.lightbluetouchpaper.org/2009/02/11/new-facebook-photo-hacks/, 2009.

[26] A. Felt, “Defacing Facebook: A secu-rity case study,” 2007. [Online]. Available:http://www.cs.virginia.edu/felt/fbook/facebook-xss.pdf

[27] S. Mahmood and Y. Desmedt, “Poster: preliminary analysisof Google+’s privacy,” in ACM Conference on Computer andCommunications Security, 2011, pp. 809–812.

[28] A. Chaabane, G. Acs, and M. A. Kaafar, “You are what youlike! Information leakage through users’ Interests,” in NDSS,2011.

169