2. Figure 1. Mapping email and phone number to real name and profile
picture in Facebook
II. NEW PRIVACY LEAKS AND POSSIBLE SOLUTIONS
In this section we introduce several new privacy leaks in
Facebook. The social network relay attack can also work in
other social networks. Moreover, we also propose solutions
to prevent these leaks.
A. Mapping email addresses to real names
Email addresses are widely sold, in bulk, for marketing
and phishing attack purposes. These marketing and phishing
attempts are less effective when not personalized [17], e.g.,
using “Dear Sir” is less effective than “Dear John Smith”.
A design flaw in Facebook can help these marketers and
phishers map email addresses to real names (Facebook’s
“terms of use” legally enforce users to only use their real
names on the social network). This mapping can be done in
two ways.
First, an attacker can search the corresponding real names
to the email addresses on Facebook using direct mapping
through the use of search by email feature available on
Facebook. This mapping will only work if the attacker is
within the allowed category of people who can search the
user on Facebook, as users can limit being searched only by
“Friends”, “Friends of friends”, etc. Moreover, to automate
the attack a user will have to use Facebook’s APIs, which
could at times be very restrictive.
The second method will work against any privacy settings
by a user and does not require any Facebook APIs. Here,
an attacker can go to the Facebook’s recovery page1
and
input an email address from the list. If the email belongs
to a registered profile on Facebook, it will return a page as
shown in Figure 1. This shows the real name and a thumbnail
profile picture of the user.
On the other hand, if the email address does not corre-
spond to a Facebook account then the attacker is directed
1http://www.facebook.com/recover.php
Figure 2. Facebook response when an email address does not correspond
to a registered account
to the page displayed in Figure 2, which clearly states that
there is no Facebook account corresponding to that email
address.
Attackers can use this mapping to launch other attacks
against users. A user’s email address is their username when
logging into Facebook. It’s revelation enables the attacker to
attempt to hack into the user’s account by either attempting
to answer the user’s secret question (which once set on
Facebook can not be changed) or by guessing the password.
Solution: Facebook’s provision of a real name, as
shown in Figure 1, to confirm the email address of a user
for account recovery is not necessary. As, users can only use
their real names on Facebook and it is rare that a user will
forget his real name, thus, instead of providing a user with
the real name and asking for confirmation, Facebook should
ask a user to provide his real name in addition to his email
address. This way marketers and phishers will not be able
to map emails to real names using Facebook.
B. Reconstruction of a friend’s friendlist
For added privacy, Facebook users have the option to
restrict who can view their friendlist, but, this does not mean
a friend attacker2
can not reconstruct that user’s friendlist.
For at least a partial reconstruction, a friend attacker can
enumerate the names/ user IDs of all the users who comment
on posts visible to friends only. In Figure 3, even though the
user’s friendlist is not visible to the author, we are able to
find the names of at least four friends of the victim3
. One
friend has commented on the post and the other three have
liked it. By analyzing more posts, over a longer duration of
time, an attacker can find the names and user IDs of more
friends of the victim.
Similarly, when a user is tagged in a photo, we can see the
name of the person who tagged the user by rolling the mouse
over their name. It displays “Tagged by” and the tagger’s
name. As, only a user’s friends are allowed to tag them on
Facebook, this also helps in reconstructing the friendlist.
2A friend attacker is an attacker who is a friend on Facebook.
3The author’s friend was asked for permission and has kindly agreed to
use their post in this paper.
165
3. Figure 3. Reconstructing friendlist on Facebook from wall posts
Moreover, Facebook does not allow users to hide their mu-
tual friends. The names of mutual friends can also be added
to the being-reconstructed list of the victim’s friendlist. This
way the attacker can reconstruct a very significant part of a
user’s friendlist.
Solution: If a user does not want his friendlist to be
visible to his friends, then Facebook should not display that
user’s mutual friends. Also, when a user views the wall
of a friendlist-hiding friend, the comments and likes by
other friends in the friend’s view should be anonymized.
For example, when the profile owner sees the comments it
could be “John Smith” commented hi, but when his friend
views it, it should be “A friend” commented hi. Similarly
the photo taggers should not be visible for such users. This
way, it will be much harder for anyone to reconstruct the
friendlist of that user. Of course, the anonymization of other
contributing users’ names on a friend list hiding a user’s
profile will complicate the flow of conversation between
his multiple friends, but that is the tradeoff between better
privacy and ease of communication. Alternatively, a specific
list of highly trusted friends could be allowed to have the
non-anonymous view of the friend comments again at the
cost of leak of information to them.
C. Curse of the Timeline
Timeline, a new virtual space in which all the content of
Facebook users are organized and shown, was introduced
on December 15, 2011 [18]. In addition to re-organization
of users’ content, Timeline comes with some default and
unchangeable privacy settings. Firstly, it is no longer possi-
ble for a Facebook user to hide their mutual friends, which
was possible before Timeline. The impact of revelation of
mutual friends has been discussed in the previous section.
Secondly, it is not possible to limit the public view of “cover
photos”. These cover photos could be a user’s personal
pictures or political slogans and their widespread sharing
may have various short term and long term consequences
for that user. Thirdly, with the Timeline, depending on the
users’ privacy settings, if the likes and friendlist of a user
are shared with a list of users, then that list of users can
also see the month and the year when those friends were
added or when the user liked those pages. This will allow
an attacker to analyze the sentiments and opinions of a user,
e.g. when did a user start liking more violent political figures
and unlike the non-violent ones. Finally, with the Timeline,
if a user makes a comment on a page or a group, he does
not have the option to disable being traced back to the
profile. Before the Timeline, a user could make themselves
searchable by a specific group (e.g. “Friends” or “Friends
of friends”, etc. ) and even if they commented on pages
and groups, people outside those allowed groups would not
be able to link back to the commenters profile. Facebook
can solve these problems by allowing users to change the
settings to share their content with their desired audience.
D. Curse of social plugins
In April, 2010, Facebook launched its social plugins to
integrate other websites into Facebook. Since, its launch
over 2.5 million websites have used social plugins. Using
social plugins, websites can allow users to comment on
their content using their Facebook accounts. Moreover, it
enables seamless sharing of content from other websites to
Facebook. Although there are a large number of marketing
benefits of social plugins, they have also created new privacy
problems for users. One of the biggest adverse effect for
a user is the fact that their activity can be traced back to
their Facebook profile. Figure 4 shows an example of such
a privacy problem. The users have commented on a news
article published by a Japanese news paper. Here Wataru
Iwamoto has commented on this article when Reiko Mihara
shared it on his Facebook profile. Wataru did not agree for
his comment to be displayed on a publicly visible website.
Due to their comments’ public visibility now their opinions
regarding the topic are visible to anyone who can view the
article on the website and they are traceable back to their
profiles for the inquirer to find more details about them.
This tracing has the potential of various short and long term
consequences for users.
Again, this problem can be prevented by Facebook
through limiting the view of the comments from public
websites and making the comments of users visible only
on the user walls or fan pages where they have originally
commented. Moreover, those users who comment on public
forums using their Facebook accounts should be given with
the possibility to disconnect the link ability to their accounts.
E. Social network relay attacks
Prior research has shown the ease of cloning profiles on
Facebook [19]. Similar methods can be used to clone profiles
166
4. Figure 4. Social Plugins on a Japanese news website
on Twitter and other social networks. Another variant of the
cloning attacks can be a relay attack. In a relay attack, (1)
the attacker gets access to the social network content shared
by the victim, (2) he creates a new profile with the same
name as the victim, (3) he relays the victim’s messages. To
avoid detection by the victim, the attacker from the fake
profile blocks the victim, thus, the victim will no longer be
able to search the attacker on the social network. To further
reduce the chance of detection, the attacker can block all
current friends/followers of the victim, thus no one in the
current online social circle of the victim will know about the
existence of the attacker. This attack seems innocent if the
attacker only relays the exact messages by the victim to a
subset of his approved audience, but, it becomes malicious
when the attacker starts sharing the content beyond his
approved audience. Moreover, the attacker may selectively
add, delete or modify messages and share them with any
audience. In the case of Twitter, it is easier to launch this
attack, as a user’s tweets are mostly public, but for Facebook
the attacker needs to be a friend of the victim to get access
to most messages. Thus, he may use social bots or a targeted
friend attack to become friends in the first place [20], [21]
and then launch the attack. This attack can be used to achieve
many goals, for example, in a political scenario, it can be
used to damage the reputation of a rival or misinform his
audience.
Solution: When a user loses access to their account
as a result of forgetting the password or their account
being hacked, Facebook verifies a user with some acceptable
Figure 5. Documents that Facebook requests for account verification
documents as shown in Figure 5, in order to re-grant him
access to his account. These documents include a user’s
passport and driving license. Such documents are hard for an
attacker to fake because of the technical difficulties and legal
penalties. Moreover, when a user provides these documents
to prove their identity to Facebook or any other social
network, it is not a breach of privacy as the act is willfully
done by the user.
Similar verification can be offered by social networks to
prevent relay attacks. Any user who has been verified could
be provided with a “Verified by the service provider” for
the real name and other attributes on the profile. If the
original profile has a certificate of authenticity, it will be
harder for relay attackers to launch the attack without raising
suspicion. In essence, the social network will have to act as
a certification authority.
F. Permanent take over of a Facebook account
Facebook allows a user to recover their compromised
account using several verification mechanisms, but, they all
fail if the attacker changes the name of the victims account
and attach a new account to the victim’s email address used
to login to Facebook. Thus, the attacker can lose the decoy
account created with the victims email attached while having
a permanent take over of the victim’s real account.
Solution: Facebook should not allow associating used
email addresses with new accounts. This will prevent the
permanent over take attack.
III. RELATED WORK
Risks and threats to users’ personal data on social net-
works is widely researched over the past few years. Gross
et al. [22] performed one of the earliest studies to identify
potential threats including: identity theft, embarrassment and
stalking, to the user of social networks. Bonneau et al. [23]
showed that the public listing of eight friends in Facebook
public search leads to revealing much more than just limited
information. Dhingra and Bonneau independently provided
167
5. limited hacks into Facebook photos [24], [25]. Felt [26]
presented a cross-site scripting vulnerability in the Facebook
Markup Language which allowed arbitrary JavaScript to be
added to the profiles of the users of an application, which
lead to session hijacking. Polakis et al. [17] showed how
names extracted from social networking sites can be used to
launch personalized phishing attacks, which are much more
successful than traditional phishing. Mahmood and Desmedt
presented the deactivated friend attack, utilizing which, an
attacker can have indefinite access to their victim’s personal
information [21]. Using targeted friend requests, they were
added as friend’s by 62% of their victims. They also pro-
vided the first preliminary study of Google+’s privacy and
its comparison to Facebook [27]. Boshmaf et al. [20] used
socialbots to demonstrate the breaching of user’s privacy
on Facebook using the botnet model. Socialbots have been
previously used by criminals and are sold online for as little
as USD 29. They created 102 socialbots to make friends with
3055 Facebook users in eight weeks with a success rate of
35.6%. Bilge et al. [19] showed the ease of launching an
automated identity theft attack against some popular social
networks by sending friend requests to friends of a cloned
victim.
Chabaane et al. showed the implicit leak of information
through the likes and interests of users on Facebook [28].
IV. CONCLUSION
In this paper we exposed several new flaws in Facebook
and Twitter. These include the possibility of an attacker map-
ping email addresses to real user names, the possibility of
reconstructing a user’s friendlist even if his privacy settings
are set to hide it, and the new privacy flaws introduced with
the introduction of Facebook’s Timeline and social plugins.
Moreover, introduced relay attacks in social networks and
how their use could result in privacy breaches. For an
attacker with a compromised account of a user, we presented
a mechanism to permanently take it over. We also provided
solutions to each of the privacy leaks/ attacks we exposed.
REFERENCES
[1] “Facebook statistics,” http://newsroom.fb.com/content/
default.aspx?NewsAreaId=22, accessed: May 16, 2012.
[2] C. Taylor, “Social networking ‘Utopia’ isn’t coming,” CNN,
June 27, 2011.
[3] “About Meetup,” http://www.meetup.com/about/, accessed:
Feb. 20, 2012.
[4] YouTube, “YouTube statistics,”
http://www.youtube.com/t/press statistics, accessed: May 16,
2012.
[5] “Flickr,” http://advertising.yahoo.com/article/flickr.html, ac-
cessed: Feb. 20, 2012.
[6] “Foursquare,” https://foursquare.com/about/, accessed: Feb.
20, 2012.
[7] E. Barnett, “Google+ hits 90 million users,” The Telegraph,
Jan. 20, 2012.
[8] “Linkedin,” http://press.linkedin.com/about, accessed: Feb.
20, 2012.
[9] T. Monkovic, “Eagles employee fired for Facebook post,” New
York Times, March 10, 2009.
[10] J. Bonneau, J. Anderson, and G. Danezis, “Prying data out
of a social network,” in ASONAM, 2009, pp. 249–254.
[11] D. Barret and M. H. Saul, “Weiner now says he sent photos,”
The Wall Street Journal, Jun. 7, 2011.
[12] M. Stelzner, “Social media marketing industry report,”
http://www.socialmediaexaminer.com/
SocialMediaMarketingReport2011.pdf, 2011.
[13] D. L. Michael Henderson, Melissa de Zwart and M. Phillips,
Will u friend me? Legal Risks of Social Networking Sites.
Monash University, 2011.
[14] “Obama advises caution in use of Facebook,” Associated
Press, Sep. 8, 2009.
[15] S. Mahmood and Y. Desmedt, “Usable privacy by visual
and interactive control of information flow,” in Twentieth
International Security Protocols Workshop, 2012.
[16] ——, “Two new economic models for privacy,” in SIGMET-
RICS Performance Evaluation Review, 2012.
[17] I. Polakis, G. Kontaxis, S. Antonatos, E. Gessiou, T. Petsas,
and E. P. Markatos, “Using social networks to harvest email
addresses,” in WPES, 2010, pp. 11–20.
[18] “Facebook Timeline,” http://www.facebook.com/about/timeline,
accessed: May 16, 2012.
[19] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, “All your
contacts are belong to us: automated identity theft attacks on
social networks,” in WWW, 2009, pp. 551–560.
[20] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu,
“The socialbot network: when bots socialize for fame and
money,” in ACSAC, 2011, pp. 93–102.
[21] S. Mahmood and Y. Desmedt, “Your Facebook deactivated
friend or a cloaked spy,” in PerCom Workshops, 2012, pp.
367–373.
[22] R. Gross, A. Acquisti, and H. J. H. III, “Information revelation
and privacy in online social networks,” in WPES, 2005, pp.
71–80.
[23] J. Bonneau, J. Anderson, F. Stajano, and R. Anderson, “Eight
friends are enough: Social graph approximation via public
listings,” in SNS, 2009.
[24] A. Dhingra, “Where you did sleep last night? ...thank you, i
already know!” iSChannel, vol. 3, no. 1, 2008.
168
6. [25] J. Bonneau, “New Facebook photo hacks,”
http://www.lightbluetouchpaper.org/2009/02/11/new-
facebook-photo-hacks/, 2009.
[26] A. Felt, “Defacing Facebook: A secu-
rity case study,” 2007. [Online]. Available:
http://www.cs.virginia.edu/felt/fbook/facebook-xss.pdf
[27] S. Mahmood and Y. Desmedt, “Poster: preliminary analysis
of Google+’s privacy,” in ACM Conference on Computer and
Communications Security, 2011, pp. 809–812.
[28] A. Chaabane, G. Acs, and M. A. Kaafar, “You are what you
like! Information leakage through users’ Interests,” in NDSS,
2011.
169