In late 2012, we interviewed NYU-Poly’s Professor Keith Ross about his research into privacy loopholes in Facebook. Ross showed it was possible to work out names and high-school affiliations of below-18-year old students, even though Facebook’s policies limit what legal minors can publicly reveal. The clear implications were hackers and stalkers could take advantage of this information. At a recent conference held in Kuala Lumpur, analysts at security firm TrustWave took this idea a step further.
At “Hack in a Box”, TrustWaves’s Timothy Lee and Jonathan Werett introduced their FBStalker Python script, which mines Facebook metadata using GraphSearch. (By the way, the script is on Github.) The key to the script, as Ross has pointed out, is to infer information about the subject by looking at his or her friends in the network. Facebook’s Graph Search, which has come under very justifiable criticism, makes this task much easier.
By the way, there’s a revealing post from the Facebook development team about how Graph Search works. It’s based on Social-Attribute Network or SAN algorithms, a favorite subject of ours. Similar ideas of inferring a subject’s metadata from US citizens’ phone and email social networks are also exploited by the NSA in their own hacking, I mean, national security programs.
The TrustWave script came out of pen testing work the firm was doing for a client. The actual test was to see whether they could learn the password of one of the client’s executives. They did. The TrustWave analysts launched a very effective spear-fishing attack against the executive’s wife based on information they scooped up from Facebook. The FBstalker script just provides a quicker and automated way of doing this.
One of the underpinnings behind Facebook-based phishing attacks is the (non-configurable) feature where your own social connections or followers are available to your friends. It’s just the grease that keeps Facebook and other social networks growing. But, in effect, this allows stalkers to build parts of the social graph. Graph Search adds more metadata information–all those things you and your friends like are generally public information in Facebook-land, and fair game for Graph Search.
The key takeaway is to be carefull who you befriend. And be sure to limit what Graph Search knows about your medata by editing the activity log.