Technical Report: "Abusing Social Networks for Automated User Profiling"

research
We recently published a technical report on another project related to social networks. The paper is entitled "Abusing Social Networks for Automated User Profiling" and we focus on automatically collecting information about users based on the information available in different networks.

Imagine that you have a profile on Facebook, on LinkedIn, and on MySpace. Perhaps you do not want to directly link these profiles, for example since you want to have a more serious profile on LinkedIn, while having a more relaxed one on MySpace and Facebook. Thus you use different pseudonym/names on the different profiles and expect that the information can not be correlated. However, there is a problem with that assumption: during the registration on the different networks, you used the same e-mail address. And a social network typically enables a user to search for e-mail addresses in order to find friends (a convenient feature, after all you want to network with your friends). An attacker can thus go ahead and search on each network for a given e-mail address, scrape the profile related to that address, and then correlate the information found on different network. At the end, an attacker can thus enrich a given e-mail address with information collected on different social networks.

An attacker can not only search for one e-mail address at a time, but typically for hundreds or even thousands. And he can not only do this once, but thousands of times per day. For example, we were able to check about 10 million e-mail addresses on Facebook per day. A spammer could use this "feature" to verify e-mail addresses by using Facebook as an oracle to determine whether or not a given e-mail address is valid. Furthermore, the correlation aspect is of course also a privacy problem since an attacker can find "hidden" information and correlate information across different networks.

We have contacted different social networks. Facebook and XING have already addressed the problem - thanks a lot!

Abstract:
Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data.
In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user).
Finally, we propose a number of mitigation techniques to protect the user’s privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook and XING in particular have recently fixed the problem.

The technical report is available at http://www.iseclab.org/papers/socialabuse-TR.pdf and it was joint work with Marco Balduzzi, Christian Platzer, Engin Kirda, Davide Balzarotti, and Christopher Kruegel.

Trackbacks

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Josh Brower says:

    I recently finished some very similar research about social engineering on social networks--Specifically mining the information that users are giving up on Quizzes on Facebook, and creating a profile based on the mined information. If you are interested, you can find a little more detail here (http://tothelasttribe.com/blog/2010/03/gcih-gold-paper-accepted/) and my paper here (http://goo.gl/ckfJ)

    -Josh Brower

  2. Thorsten says:

    Thanks for the info Josh, the paper looks interesting!

  3. 逆援 says:

    老舗サイトのノーブルで お気軽に楽しみ下さい。

  4. www.coop-systems.com says:

    Where I work we use a software program called COOP System for business continuity. For this system as with many things on the web I use the same E-mail address. So by using the same E-mail, I could be compromising the system. In order to prevent these unsafe practices every business should provide a work only E-mail address to all its employees.

  5. facebook app development says:

    Facebook has gained a lot of popularity in 2-3 years,number of users have crossed million and hence it has now become very important for the team to maintain the security of the users.There are many application in facebook which requires users to grant permission to access their personal information and hence the user should be very careful on whom to trust.Lets see how the facebook deals with security issues.

  6. information security says:

    Thanks for the post. the article is interesting.


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5