Attacking the Privacy of Social Network Users presented at HITBMalaysia 2011

by Marco ‘embyte’ Balduzzi,

Summary : Social networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site and has been reporting growth rates as high as 3% per week, with more than 500 million registered users. The amount of personal information stored on these networking sites calls for appropriate security precautions that are often inadequate or poorly implemented. Indeed, our research team recently discovered different vulnerabilities, shared among various social networking sites. that permit to access personal sensitive information for running spear phishing, targeted spamming or drive-by-download attacks.
In this talk, I present several novel attacks that target the privacy of social network users. For example, in the automated querying attack, someone can rapidly map million of registered users to their personal e-mail, which is normally considered private information and not directly revealed by the social network. In another attack, by leveraging the recommendation system, e.g. the Facebook’s friends-finder functionality, the attacker can easily collect thousands of friendships and get access to a large amount of personal data that normally is protected.
To prove that these attacks constitute a real threat for social network users, we implemented and ran automated systems against ten different vulnerable sites, such as Facebook, Twitter and LinkedIN. The problems we identified have been acknowledged by some of the networking sites, which have adopted our countermeasures.
Finally, I will introduce Safebook, a decentralized authenticated social network that our lab recently designed with the scope of preserving the privacy of online users.