Facebook privacy
Click here to load reader
-
Upload
aibad-ahmed -
Category
Education
-
view
218 -
download
0
description
Transcript of Facebook privacy
New Privacy Threats for Facebook and Twitter Users
Shah Mahmood
Department of Computer Science,University College London,
United KingdomEmail: [email protected]
Abstract—With around 1 billion active users, Facebook andTwitter are two of the most famous social networking websites.One particular aspect of these social networks widely discussedin the news and heavily researched in academic circles is theprivacy of their users. In this paper we introduce six newprivacy leaks in Facebook and Twitter. First, we reveal howan attacker can map users email addresses to their real namesusing Facebook’s account recovery service. This mapping helpsan attacker accumulate more information about the holderof an email address which could then be used to launchtargeted spam attacks. Second, we introduce how an attackercan reconstruct the friendlist of a victim on Facebook, eventhough that user’s privacy setting does not allow the attackerto explicitly view the victim’s friendlist. Third, we show theadditional privacy leaks due to the introduction of Facebook’sTimeline. Fourth, we show how the unprecedented connectivityoffered by social plugins breaches a user’s privacy. Fifth, weintroduce the social network relay attacks. Sixth, we show howan attacker can permanently withhold a victim’s Facebookaccount after the first take over. Moreover, we propose solutionsfor each of these privacy leaks.
Keywords-Online Social Network, Privacy, Facebook, Twitter
I. INTRODUCTION
The use of cloud computing, and in particular online
social networks, has increased explosively over the past few
years. Over 900 million users are sharing various aspects
of their personal and professional lives on Facebook every
month [1]. Almost 230 million users are exposing some
of their spontaneous thoughts as tweets on Twitter [2],
280,000 meetings of like minded people are arranged by
9 million users of Meetup [3], 4 billion videos are watched
on YouTube on a daily average [4], 80 million users are
flicking through pictures uploaded by 51 million registered
users of Flickr [5], around 15 million users have shared their
1.5 billion locations using Foursquare [6], over 90 million
users can hangout on Google+ [7], and almost 150 million
users are sharing their resume’s and being connected to
their professional contacts on LinkedIn [8]. This enormous
level of connectivity, in addition to its positive impact,
has also resulted in incidents of privacy breaches leading
to loss of employment [9], suspension from school [10],
imprisonment, and embarrassment [11]. A woman in Indiana
(US) was robbed by a Facebook friend after she posted
on her Facebook profile that she was going out for the
night [13]. Moreover, according to a survey by Social Media
Examiner, 92% marketers use Facebook as a tool [12].
These incidents’ widespread media coverage and in-depth
academic analysis has resulted in sparking a new interest
in devising technological and sociological mechanisms for
user’s privacy, including the campaign of user awareness.
Even President Obama has advised caution when sharing
data on social networks [14].
“Be careful about what you post on Facebook,
because in the YouTube age, whatever you do will
be pulled up again later somewhere in your life ...”
Numerous technical solutions have been proposed to
(partially) solve the users’ privacy problem in the cloud
environment, e.g. [15], [16]. Unfortunately, the usefulness
of these proposals is limited when flaws lie in the service
providers’ design and users do not have any better options to
choose from. In this paper, we expose several such privacy
flaws which are examples of bad system design for services
used by nearly 50% of the total Internet users. First we
show how an attacker can map a list of email addresses to
their users’ real names (see Section II-A). Mapping email
addresses to real names can be useful for a wide range of
attacks including launching targeted phishing attacks against
the victim or his acquaintances [17]. Second, we show how
a Facebook user’s friendlist can be reconstructed from the
activity on his profile, even if his privacy settings are set
to hide the list (see Section II-B). Third, we identify the
additional privacy leaks caused after the introduction of
Facebook’s Timeline (see Section II-C). Fourth, we discuss
how the seamless connectivity offered by social plugins can
breach the privacy of a user (see Section II-D). Fifth, we
discuss relay attacks in social networks (see Section II-E).
These relay attacks are not limited to Facebook, e.g. can
also be launched using Twitter. Finally, we show how an
attacker can withhold a user from recovering his compro-
mised account (see Section II-F). With current Facebook and
Twitter settings, these attacks can not be prevented. Thus, in
each section after the introduction of the attack, we propose
solutions for them. In Section III we discuss the related work
and finally, in Section IV we conclude the work.
2012 Seventh International Conference on P2P, Parallel, Grid, Cloud and Internet Computing
978-0-7695-4841-8/12 $26.00 © 2012 IEEE
DOI 10.1109/3PGCIC.2012.46
164
Figure 1. Mapping email and phone number to real name and profilepicture in Facebook
II. NEW PRIVACY LEAKS AND POSSIBLE SOLUTIONS
In this section we introduce several new privacy leaks in
Facebook. The social network relay attack can also work in
other social networks. Moreover, we also propose solutions
to prevent these leaks.
A. Mapping email addresses to real names
Email addresses are widely sold, in bulk, for marketing
and phishing attack purposes. These marketing and phishing
attempts are less effective when not personalized [17], e.g.,
using “Dear Sir” is less effective than “Dear John Smith”.
A design flaw in Facebook can help these marketers and
phishers map email addresses to real names (Facebook’s
“terms of use” legally enforce users to only use their real
names on the social network). This mapping can be done in
two ways.
First, an attacker can search the corresponding real names
to the email addresses on Facebook using direct mapping
through the use of search by email feature available on
Facebook. This mapping will only work if the attacker is
within the allowed category of people who can search the
user on Facebook, as users can limit being searched only by
“Friends”, “Friends of friends”, etc. Moreover, to automate
the attack a user will have to use Facebook’s APIs, which
could at times be very restrictive.
The second method will work against any privacy settings
by a user and does not require any Facebook APIs. Here,
an attacker can go to the Facebook’s recovery page1 and
input an email address from the list. If the email belongs
to a registered profile on Facebook, it will return a page as
shown in Figure 1. This shows the real name and a thumbnail
profile picture of the user.
On the other hand, if the email address does not corre-
spond to a Facebook account then the attacker is directed
1http://www.facebook.com/recover.php
Figure 2. Facebook response when an email address does not correspondto a registered account
to the page displayed in Figure 2, which clearly states that
there is no Facebook account corresponding to that email
address.
Attackers can use this mapping to launch other attacks
against users. A user’s email address is their username when
logging into Facebook. It’s revelation enables the attacker to
attempt to hack into the user’s account by either attempting
to answer the user’s secret question (which once set on
Facebook can not be changed) or by guessing the password.Solution: Facebook’s provision of a real name, as
shown in Figure 1, to confirm the email address of a user
for account recovery is not necessary. As, users can only use
their real names on Facebook and it is rare that a user will
forget his real name, thus, instead of providing a user with
the real name and asking for confirmation, Facebook should
ask a user to provide his real name in addition to his email
address. This way marketers and phishers will not be able
to map emails to real names using Facebook.
B. Reconstruction of a friend’s friendlist
For added privacy, Facebook users have the option to
restrict who can view their friendlist, but, this does not mean
a friend attacker2 can not reconstruct that user’s friendlist.
For at least a partial reconstruction, a friend attacker can
enumerate the names/ user IDs of all the users who comment
on posts visible to friends only. In Figure 3, even though the
user’s friendlist is not visible to the author, we are able to
find the names of at least four friends of the victim3. One
friend has commented on the post and the other three have
liked it. By analyzing more posts, over a longer duration of
time, an attacker can find the names and user IDs of more
friends of the victim.
Similarly, when a user is tagged in a photo, we can see the
name of the person who tagged the user by rolling the mouse
over their name. It displays “Tagged by” and the tagger’s
name. As, only a user’s friends are allowed to tag them on
Facebook, this also helps in reconstructing the friendlist.
2A friend attacker is an attacker who is a friend on Facebook.3The author’s friend was asked for permission and has kindly agreed to
use their post in this paper.
165
Figure 3. Reconstructing friendlist on Facebook from wall posts
Moreover, Facebook does not allow users to hide their mu-
tual friends. The names of mutual friends can also be added
to the being-reconstructed list of the victim’s friendlist. This
way the attacker can reconstruct a very significant part of a
user’s friendlist.
Solution: If a user does not want his friendlist to be
visible to his friends, then Facebook should not display that
user’s mutual friends. Also, when a user views the wall
of a friendlist-hiding friend, the comments and likes by
other friends in the friend’s view should be anonymized.
For example, when the profile owner sees the comments it
could be “John Smith” commented hi, but when his friend
views it, it should be “A friend” commented hi. Similarly
the photo taggers should not be visible for such users. This
way, it will be much harder for anyone to reconstruct the
friendlist of that user. Of course, the anonymization of other
contributing users’ names on a friend list hiding a user’s
profile will complicate the flow of conversation between
his multiple friends, but that is the tradeoff between better
privacy and ease of communication. Alternatively, a specific
list of highly trusted friends could be allowed to have the
non-anonymous view of the friend comments again at the
cost of leak of information to them.
C. Curse of the Timeline
Timeline, a new virtual space in which all the content of
Facebook users are organized and shown, was introduced
on December 15, 2011 [18]. In addition to re-organization
of users’ content, Timeline comes with some default and
unchangeable privacy settings. Firstly, it is no longer possi-
ble for a Facebook user to hide their mutual friends, which
was possible before Timeline. The impact of revelation of
mutual friends has been discussed in the previous section.
Secondly, it is not possible to limit the public view of “cover
photos”. These cover photos could be a user’s personal
pictures or political slogans and their widespread sharing
may have various short term and long term consequences
for that user. Thirdly, with the Timeline, depending on the
users’ privacy settings, if the likes and friendlist of a user
are shared with a list of users, then that list of users can
also see the month and the year when those friends were
added or when the user liked those pages. This will allow
an attacker to analyze the sentiments and opinions of a user,
e.g. when did a user start liking more violent political figures
and unlike the non-violent ones. Finally, with the Timeline,
if a user makes a comment on a page or a group, he does
not have the option to disable being traced back to the
profile. Before the Timeline, a user could make themselves
searchable by a specific group (e.g. “Friends” or “Friends
of friends”, etc. ) and even if they commented on pages
and groups, people outside those allowed groups would not
be able to link back to the commenters profile. Facebook
can solve these problems by allowing users to change the
settings to share their content with their desired audience.
D. Curse of social plugins
In April, 2010, Facebook launched its social plugins to
integrate other websites into Facebook. Since, its launch
over 2.5 million websites have used social plugins. Using
social plugins, websites can allow users to comment on
their content using their Facebook accounts. Moreover, it
enables seamless sharing of content from other websites to
Facebook. Although there are a large number of marketing
benefits of social plugins, they have also created new privacy
problems for users. One of the biggest adverse effect for
a user is the fact that their activity can be traced back to
their Facebook profile. Figure 4 shows an example of such
a privacy problem. The users have commented on a news
article published by a Japanese news paper. Here Wataru
Iwamoto has commented on this article when Reiko Mihara
shared it on his Facebook profile. Wataru did not agree for
his comment to be displayed on a publicly visible website.
Due to their comments’ public visibility now their opinions
regarding the topic are visible to anyone who can view the
article on the website and they are traceable back to their
profiles for the inquirer to find more details about them.
This tracing has the potential of various short and long term
consequences for users.
Again, this problem can be prevented by Facebook
through limiting the view of the comments from public
websites and making the comments of users visible only
on the user walls or fan pages where they have originally
commented. Moreover, those users who comment on public
forums using their Facebook accounts should be given with
the possibility to disconnect the link ability to their accounts.
E. Social network relay attacks
Prior research has shown the ease of cloning profiles on
Facebook [19]. Similar methods can be used to clone profiles
166
Figure 4. Social Plugins on a Japanese news website
on Twitter and other social networks. Another variant of the
cloning attacks can be a relay attack. In a relay attack, (1)
the attacker gets access to the social network content shared
by the victim, (2) he creates a new profile with the same
name as the victim, (3) he relays the victim’s messages. To
avoid detection by the victim, the attacker from the fake
profile blocks the victim, thus, the victim will no longer be
able to search the attacker on the social network. To further
reduce the chance of detection, the attacker can block all
current friends/followers of the victim, thus no one in the
current online social circle of the victim will know about the
existence of the attacker. This attack seems innocent if the
attacker only relays the exact messages by the victim to a
subset of his approved audience, but, it becomes malicious
when the attacker starts sharing the content beyond his
approved audience. Moreover, the attacker may selectively
add, delete or modify messages and share them with any
audience. In the case of Twitter, it is easier to launch this
attack, as a user’s tweets are mostly public, but for Facebook
the attacker needs to be a friend of the victim to get access
to most messages. Thus, he may use social bots or a targeted
friend attack to become friends in the first place [20], [21]
and then launch the attack. This attack can be used to achieve
many goals, for example, in a political scenario, it can be
used to damage the reputation of a rival or misinform his
audience.
Solution: When a user loses access to their account
as a result of forgetting the password or their account
being hacked, Facebook verifies a user with some acceptable
Figure 5. Documents that Facebook requests for account verification
documents as shown in Figure 5, in order to re-grant him
access to his account. These documents include a user’s
passport and driving license. Such documents are hard for an
attacker to fake because of the technical difficulties and legal
penalties. Moreover, when a user provides these documents
to prove their identity to Facebook or any other social
network, it is not a breach of privacy as the act is willfully
done by the user.
Similar verification can be offered by social networks to
prevent relay attacks. Any user who has been verified could
be provided with a “Verified by the service provider” for
the real name and other attributes on the profile. If the
original profile has a certificate of authenticity, it will be
harder for relay attackers to launch the attack without raising
suspicion. In essence, the social network will have to act as
a certification authority.
F. Permanent take over of a Facebook account
Facebook allows a user to recover their compromised
account using several verification mechanisms, but, they all
fail if the attacker changes the name of the victims account
and attach a new account to the victim’s email address used
to login to Facebook. Thus, the attacker can lose the decoy
account created with the victims email attached while having
a permanent take over of the victim’s real account.
Solution: Facebook should not allow associating used
email addresses with new accounts. This will prevent the
permanent over take attack.
III. RELATED WORK
Risks and threats to users’ personal data on social net-
works is widely researched over the past few years. Gross
et al. [22] performed one of the earliest studies to identify
potential threats including: identity theft, embarrassment and
stalking, to the user of social networks. Bonneau et al. [23]
showed that the public listing of eight friends in Facebook
public search leads to revealing much more than just limited
information. Dhingra and Bonneau independently provided
167
limited hacks into Facebook photos [24], [25]. Felt [26]
presented a cross-site scripting vulnerability in the Facebook
Markup Language which allowed arbitrary JavaScript to be
added to the profiles of the users of an application, which
lead to session hijacking. Polakis et al. [17] showed how
names extracted from social networking sites can be used to
launch personalized phishing attacks, which are much more
successful than traditional phishing. Mahmood and Desmedt
presented the deactivated friend attack, utilizing which, an
attacker can have indefinite access to their victim’s personal
information [21]. Using targeted friend requests, they were
added as friend’s by 62% of their victims. They also pro-
vided the first preliminary study of Google+’s privacy and
its comparison to Facebook [27]. Boshmaf et al. [20] used
socialbots to demonstrate the breaching of user’s privacy
on Facebook using the botnet model. Socialbots have been
previously used by criminals and are sold online for as little
as USD 29. They created 102 socialbots to make friends with
3055 Facebook users in eight weeks with a success rate of
35.6%. Bilge et al. [19] showed the ease of launching an
automated identity theft attack against some popular social
networks by sending friend requests to friends of a cloned
victim.
Chabaane et al. showed the implicit leak of information
through the likes and interests of users on Facebook [28].
IV. CONCLUSION
In this paper we exposed several new flaws in Facebook
and Twitter. These include the possibility of an attacker map-
ping email addresses to real user names, the possibility of
reconstructing a user’s friendlist even if his privacy settings
are set to hide it, and the new privacy flaws introduced with
the introduction of Facebook’s Timeline and social plugins.
Moreover, introduced relay attacks in social networks and
how their use could result in privacy breaches. For an
attacker with a compromised account of a user, we presented
a mechanism to permanently take it over. We also provided
solutions to each of the privacy leaks/ attacks we exposed.
REFERENCES
[1] “Facebook statistics,” http://newsroom.fb.com/content/default.aspx?NewsAreaId=22, accessed: May 16, 2012.
[2] C. Taylor, “Social networking ‘Utopia’ isn’t coming,” CNN,June 27, 2011.
[3] “About Meetup,” http://www.meetup.com/about/, accessed:Feb. 20, 2012.
[4] YouTube, “YouTube statistics,”http://www.youtube.com/t/press statistics, accessed: May 16,2012.
[5] “Flickr,” http://advertising.yahoo.com/article/flickr.html, ac-cessed: Feb. 20, 2012.
[6] “Foursquare,” https://foursquare.com/about/, accessed: Feb.20, 2012.
[7] E. Barnett, “Google+ hits 90 million users,” The Telegraph,Jan. 20, 2012.
[8] “Linkedin,” http://press.linkedin.com/about, accessed: Feb.20, 2012.
[9] T. Monkovic, “Eagles employee fired for Facebook post,” NewYork Times, March 10, 2009.
[10] J. Bonneau, J. Anderson, and G. Danezis, “Prying data outof a social network,” in ASONAM, 2009, pp. 249–254.
[11] D. Barret and M. H. Saul, “Weiner now says he sent photos,”The Wall Street Journal, Jun. 7, 2011.
[12] M. Stelzner, “Social media marketing industry report,”http://www.socialmediaexaminer.com/SocialMediaMarketingReport2011.pdf, 2011.
[13] D. L. Michael Henderson, Melissa de Zwart and M. Phillips,Will u friend me? Legal Risks of Social Networking Sites.Monash University, 2011.
[14] “Obama advises caution in use of Facebook,” AssociatedPress, Sep. 8, 2009.
[15] S. Mahmood and Y. Desmedt, “Usable privacy by visualand interactive control of information flow,” in TwentiethInternational Security Protocols Workshop, 2012.
[16] ——, “Two new economic models for privacy,” in SIGMET-RICS Performance Evaluation Review, 2012.
[17] I. Polakis, G. Kontaxis, S. Antonatos, E. Gessiou, T. Petsas,and E. P. Markatos, “Using social networks to harvest emailaddresses,” in WPES, 2010, pp. 11–20.
[18] “Facebook Timeline,” http://www.facebook.com/about/timeline,accessed: May 16, 2012.
[19] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, “All yourcontacts are belong to us: automated identity theft attacks onsocial networks,” in WWW, 2009, pp. 551–560.
[20] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu,“The socialbot network: when bots socialize for fame andmoney,” in ACSAC, 2011, pp. 93–102.
[21] S. Mahmood and Y. Desmedt, “Your Facebook deactivatedfriend or a cloaked spy,” in PerCom Workshops, 2012, pp.367–373.
[22] R. Gross, A. Acquisti, and H. J. H. III, “Information revelationand privacy in online social networks,” in WPES, 2005, pp.71–80.
[23] J. Bonneau, J. Anderson, F. Stajano, and R. Anderson, “Eightfriends are enough: Social graph approximation via publiclistings,” in SNS, 2009.
[24] A. Dhingra, “Where you did sleep last night? ...thank you, ialready know!” iSChannel, vol. 3, no. 1, 2008.
168
[25] J. Bonneau, “New Facebook photo hacks,”http://www.lightbluetouchpaper.org/2009/02/11/new-facebook-photo-hacks/, 2009.
[26] A. Felt, “Defacing Facebook: A secu-rity case study,” 2007. [Online]. Available:http://www.cs.virginia.edu/felt/fbook/facebook-xss.pdf
[27] S. Mahmood and Y. Desmedt, “Poster: preliminary analysisof Google+’s privacy,” in ACM Conference on Computer andCommunications Security, 2011, pp. 809–812.
[28] A. Chaabane, G. Acs, and M. A. Kaafar, “You are what youlike! Information leakage through users’ Interests,” in NDSS,2011.
169