Printer friendly version
SpamBot Wants to be Your Friend
18 October 2010
Vienna University of Technology, TU Vienna
Socializing and finding new friends on social network sites has become just as common as writing emails. However, new security risks of these new websites are becoming more common. Gilbert Wondracek and Christian Platzer, of the Secure Systems Lab at VUT, have been doing research on these security issues. With a few simple tricks, they managed to match more than 1.2 million social network profiles with the corresponding private email addresses. This experiment was done for scientific purposes only – but what if the next attack is launched by malicious hackers?
Someone who creates a profile on a social-network site wants to get into contact with as many friends as possible. Most websites offer a very simple and convenient way to find new contacts: users can simply upload their email address book and they get a list of existing profiles matching the email addresses. “This gives cause for concern”, says Christian Platzer (VUT). “Even if my email address is supposed to be kept secret and it is not visible in my profile, the website still uses it to identity my profile.”
Millions of email addresses matched with personal data
The researchers used email addresses taken from a spam-server (which has been taken offline). Using simple computer programs, millions of email-addresses could be checked on various social-network sites in a short period of time. If the social network site responds that there is indeed a user profile for a given email address, then it is most likely an address which is still in use – and in addition, the user profile provides valuable personal information about the owner of the address. Usually, in someone’s user profile, a list of names of their friends can be found. From this list, new email addresses can be generated. The researchers had the computer create a list of possible email addresses for each name – for instance following the pattern email@example.com.Next, it can again be tested whether any of these addresses are registered on a social network site. That way, hundreds of thousands of valid email addresses could be found rapidly. Altogether, more than 1.2 million user profiles could be matched with their owner’s private email address.
Tell me where you click – I’ll tell you who you are
Further dangers are posed by user groups, which can be joined on various social network sites. In these groups, people can discuss their favourite topics and get to know people of similar interests – but in the worst case, those groups can cause users to lose their anonymity in the web. A harmless-looking website may search the user’s browser-history and find out which group websites have been visited recently. If the malicious website knows the list of groups the user has joined, his identity can, in many cases, be determined quite accurately. After all, it is rather improbable that several users are members of exactly the same set of groups. That way, the website can guess the user’s name –even if the site itself is in no way affiliated with Facebook, Twitter and other social network sites.
“Of course we were very careful in our research project not to harm the websites and not to violate the privacy of users in any way”, Gilbert Wondraschek emphasizes. “We only evaluated the data scientifically – but malicious attackers could indeed do quite a lot of harm with data like that.” In the most harmless case, the victim will receive vast amounts of spam – automatically selected to fit the user’s interests. But also serious fraud could be possible. Possibly, tricksters will one day pretend to be friends or business partners, they send a short text, specially designed with the help of personal data from the social network profile – and the victim is strongly tempted to believe that the sender is indeed the person he claims to be. Even forms of blackmail are conceivable. Maybe the user of a dating site is married – and willing to pay money so that this information remains secret?
Safety tips for the web 2.0
The newfound security hazards have been reported to the social network sites by the researchers at Vienna University of Technology. In several cases, the problems have already been fixed. For internet users, there is no point in developing paranoia, but it pays to be careful, assert Christian Platzer and Gilbert Wondracek. Some safety tips should definitely be followed: it is never a good idea to upload one's email address book anywhere on the internet. Valuable data which should better be kept private is distributed that way. Most social network sites offer the possibility of deciding which pieces of information should be visible to everybody and which should be restricted to personal friends. It is advisable to choose rather restrictive settings. Special care should be taken with tagging photographs. Not everybody needs to see the beach-party holiday pictures – especially not with the full names of the people in the picture. Telephone numbers or private addresses should never be posted in the profile. Data like that should only be given personally to people who are actually supposed to have it.