Security Research : Be friend to anyone on Facebook in 24 hours
The Hacker News

"People have simply ignored the threat posed by adding a profile without checking if this profile is true. New Technologies have loopholes, but it is up to the users to be aware of this type of flaw. Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility. There is no solution. We must make good use of the social network and we are alone in this task", said Nelson Novaes, a Brazilian (independent) Security and Behavior Research. The two experiments (Proof of Concept – Research Study) were presented at the Conference Silver Bullet. Both were used with the sole purpose of POC to demonstrate the fragility and privacy issues in the use of social networks.

The technique is unusual and totally contrary to the terms of use of Facebook, but shows exactly how users can be manipulated. To prove his theory, the researcher in the field of online security and behavior Nelson Novaes has created an experiment through which he intended to befriend on Facebook a girl who worked with web security. For the purpose of the study, she was named SecGirl. The purpose of this experiment was to add SecGirl as a friend on Facebook in less than 24 hours. The result came earlier than expected: the specialist has managed to add SecGirl to his contact list in seven and a half hours.

To get closer to SecGirl, Novaes literally cloned the profile of someone very close to the girl: her manager. Using the clone profile, Novaes began to request the friendship from friends of friends of the manager. In just one hour, 24 of the 432 requests were accepted. The remarkable thing is that 96% of the people that accepted the friendship request had already added the true owner of the profile to their contact list (that is: they added the same person twice to their list, unaware of the false profile).

In the next hour, the researcher devoted himself to request the friendship from direct friends of the manager. Of the 436 requests, 14 people accepted the request made by the false profile – again, all these persons had already added the original profile to their contact lists and yet added the clone profile. In just over two hours, the manager accepted the friendship request made by the profile cloned by Novaes.

This fact would be crucial tor SecGirl's decision of adding the profile cloned as friend seven and a half hours after the beginning of the experiment. The logic is as follows: if a user has so many mutual friends, you should befriend him/her – or else, he/she is somewhat part of your circle of friends, not a complete stranger. Therefore, you decide to add this person to your Facebook profile and he/she can access information that cannot be accessed by other people.

"Most people have spent a great deal of their time cultivating their tens (of perhaps hundreds) of relationships that make up their contact list on Facebook. One theory, however, puts on permanent alert the premise of social networks: it is possible to befriend almost anyone on Facebook in less than 24 hours." He added.

The experiment has also revealed what Novaes considers a serious failure of privacy on Facebook. According to the researcher, the recent tool "Ticker" (currently available to only a few Facebook users), which displays updates from contacts in real time in the upper right corner, reveals more than the user expects, such as signs of infidelity. And such information cannot be excluded.

Presentation:

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.