Print 25 comment(s) - last by Adam M.. on Nov 14 at 6:40 PM

Apparently Facebook isn't so secure after all

In the face of scathing criticism about privacy concerns, the world's biggest social network Facebook has ratcheted up its privacy controls, allowing users to get a better handle on what exactly they share and what they don't share.

I. Breaching Facebook With Softbots

But a new research study by researchers at Canada's University of British Columbia exposes a major new security problem for Facebook -- "socialbots".  "Socialbot" is a term for a software AI agent (a so called "softbot") that operates a bogus account.  These agents can be employed to infiltrate social networks, posing as humans in order to mine hapless users' data.
Socialbots can be controlled by a central botmaster to harvest user data. [Source: U of BC]

In the U of BC study, the researchers used online tools to utterly defeat Facebook's CAPTCHA registration safeguards, which are supposed to prevent softbots from creating accounts.  In the end only 20 percent of the fake accounts were detected, and that was because alert users noticed them behaving oddly and reported them.  A whopping 80 percent of the accounts were never discovered to be bots.

The researchers cleverly took pictures from the social site "Hot or Not", in order to make the bots look like an attractive male or female.  Photos from users who were highly rated were selected to build the bots online persona.

Hot or Not
The softbots take their profile pictures from highly rated users of the site "Hot or Not".

II. Bots Make Friends and Steal Things

Interestingly despite their stunning good looks, only 20 percent of the bots' requests were accepted.  Good looking female bots without many friends were more likely than the male bots to be accepted.

But as the bots accumulated friends, both the males and females saw their acceptance rates soar up to 30-45 percent.  Male bots actually saw higher acceptance rates than female bots, once they had established a large friend base.  The higher acceptance rate turned out to be correlated to friend requests to users whose friends had already accepted the bot.  A "second pass" friend request (where the user and bot share friends) had up to a 60 percent acceptance rate.
Social bot acceptance
Socialbots with more friends had a higher rate of acceptance for friend request as they shared friends with users. [Source: U of BC]

On average, over the eight week (two month) study, the 102 softbots averaged 20 friends a piece.  Some social bot-terflies managed up to 80 to 90 friends in that brief time.

The bots avoided detection by posting quotes from public API.  The quotes allowed the bots to appear like literate, legitimate air breathers.

Except the bots were quietly stealing away information from the users, including emails, phone numbers, and private details.  The bots managed to grab 175 pieces of such data, on average, a day.  By the end of the study the researchers had amassed 250 GB of private data (properly encrypted for public protection, of course), which they deleted after summarizing their results.
Private data
The social bots absconded a wealth of data. [Source: U of BC]

By the end of the study the bots had access to 3,055 friends (of 8,570 total friend requests) and an extended network of 1,085,785 friends-of-friends many of whose profiles were partially visible, even if they had set their profiles not to be searchable online.

III. Facebook and Authors Don't See Eye to Eye

Facebook clearly wasn't a fan of the study and questions its methodology.  Its spokesperson comments to All Facebook:

We use a combination of three systems here to combat attacks like this — friend request and fake account classifiers, rate-limiting techniques, and anti-scraping technology. These classifiers block and disable inauthentic friend requests and fake accounts, while rate-limiting truncates the damage that can be done by any one entity. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Columbia and we will be putting these concerns to them.  In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.

However, the authors defend their work.  Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu write in their paper "The Socialbot Network: When Bots Socialise for Fame and Money":

We have evaluated how vulnerable online social networks are to a large-scale infiltration by a socialbot network. We used Facebook as a representative online social network, and found that using bots that mimic real users is effective in infiltrating Facebook on a large scale, especially when the users and the bots share mutual connections.

Moreover, such socialbots make it difficult for online social network security defenses, such as the Facebook Immune System, to detect or stop a socialbot network as it operates. Unfortunately, this has resulted in alarming privacy breaches and serious implications on other socially-informed software systems. We believe that large-scale infiltration in online social networks is only one of many future cyber threats, and defending against such threats is the first step towards maintaining a safer social web for millions of active web users.

It's not surprising that Facebook rejected the results.  They clearly seem to indicate softbots to be a serious and difficult threat to user privacy.  That's not only alarming to users, its a threat to Facebook's bottom line, which thrives off of steady use.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Friend and privacy
By Suntan on 11/3/2011 2:39:25 PM , Rating: 5
It’s no longer privacy if the person intentionally “friends” them.

When is the last time you argued your phone number was stolen when you voluntarily wrote it down on a piece of paper and handed it to someone?


RE: Friend and privacy
By maven81 on 11/3/2011 2:45:29 PM , Rating: 3
That's a good point, though I've noticed that people give away information on the internet much more freely then they would in person. Not that this excuses them, but clearly people don't put much thought into it. Of course this is a perfect attack on Facebook which seems to be filled with vain attention seekers that want to have hundreds of "friends".

RE: Friend and privacy
By jeepga on 11/3/2011 3:19:29 PM , Rating: 2
I agree. I think it is more of an issue of illegitimate accounts being setup then the social engineering aspect.

RE: Friend and privacy
By ET on 11/3/2011 5:34:35 PM , Rating: 2
That's the normal mode of operation for any scam. You might give your details to someone of your own free will, but that doesn't mean they can't go to jail for it.

RE: Friend and privacy
By Bonesdad on 11/3/2011 10:31:35 PM , Rating: 2
how true...and many people really don't value their privacy. I've had people argue with me that they don't care if anyone sees their stuff, they've got nothing to hide.

RE: Friend and privacy
By Natch on 11/4/2011 8:10:36 AM , Rating: 3
Personally, I've gotten mystery invites from people whom I have no idea about, and have denied every one of them. Why in the world would you "friend" someone you don't know??

This proves more that people are dumb, and too trusting, than it does that FB's security is bad.

Dumb people are dumb. [/story]

A Snake Head Eating the Head on the Opposite Side
By The Raven on 11/3/2011 2:52:32 PM , Rating: 2
So how many of the friends of the bots were bots themselves?

By SoCalBoomer on 11/3/2011 5:07:03 PM , Rating: 5
With this in mind, really, how many actual PEOPLE are there on Facebook? Or is FB really just a conspiracy of tens of millions of Hot-or-Not-faced bots running around friending each other.

By AssBall on 11/3/2011 6:04:26 PM , Rating: 2
These are good questions I always wonder about social networks.

By Megatomic on 11/4/2011 8:47:58 AM , Rating: 2
I've had some of these softbots send me friend requests, but it's pretty easy to spot them. Some completely hot woman with 2 friends randomly sending me a friend request? Really? Wow... No.

But there are lots of genuine human beings on the network also. I routinely communicate with dozens of likeminded ultramarathoners and trail runners on facebook, and dozens of family members from all over the USA.

It all boils down to using some common sense when setting up your friend networks. IMO.

RE: A Snake Head Eating the Head on the Opposite Side
By TSS on 11/4/2011 6:59:32 PM , Rating: 3
The Terminator: The Facebook Funding Bill is passed. The system goes on-line August 4th, 2012. Human decisions are removed from making friends. Facebook begins to make friends at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.
Sarah Connor: Facebook fights back.
The Terminator: Yes. It de-friends its profiles against the targets in Russia.
John Connor: Why attack Russia? Aren't they our friends now?
The Terminator: Because Facebook knows the Russian counter-attack will eliminate its friends over here.

By The Raven on 11/7/2011 2:37:52 PM , Rating: 2
Anybody not wearing 2 million sunblock is gonna have a real bad day, get it?!

People's information is sacred... these days.
By jimbojimbo on 11/3/2011 3:01:40 PM , Rating: 5
Can you imagine what would happen if I wrote some software to get everyone's phone numbers and addresses and then posted them for the world to browse through for free!!??

The phone book.

RE: People's information is sacred... these days.
By JasonMick on 11/3/2011 4:39:25 PM , Rating: 5
Can you imagine what would happen if I wrote some software to get everyone's phone numbers and addresses and then posted them for the world to browse through for free!!??

The phone book.

I admit I laughed, but one thing to consider is that the phonebook was from a different era. I think when it comes to privacy the story is, different attitudes for different eras in society.

Phonebooks were primarily a mechanism to collect FAMILY and business phone numbers for a LOCAL AUDIENCE (e.g. criminals in Russia or China generally didn't have access to your phonebook).

By contrast many of the numbers on Facebook belong to minors. On the one hand, you could certainly argue its parents' fault for giving their children cell phones (a) and letting their children put their cell phone #s on Facebook (b).

But at the end of the day, you still have the problem of predators potentially gaining access to a wealth of underage childrens' private communication devices.

Aside from the minors issue, when it comes to email, it may be somewhat analogous to addresses in the phone book. However, email fraud is FAR more pervasive and ambitious than mail fraud ever was, because it's so much easier to email 10,000 strangers than it is to write them letters.

As a result of the elevated risks, people have become more wary about giving out their email than they were about giving out their address.

Further, a final point -- both with the phone #s and the email addresses. Traditional print phone books are typically only available locally (yes some have moved online, but that's not what I'm referring to). Yes, back in the day you can get these from other states on loan @ public libraries, but when it comes down to it, it's a pain in the butt to get access to phone #s from another region. By contrast anyone in the world has access to this information thanks to the wonders of the internet.

Thus your comparison of a phonebook to email/phone # data mining is humorous, but somewhat inaccurate, due primarily to ease of access, ease of mass messaging, and the different user base.

By rykerabel on 11/4/2011 10:47:47 AM , Rating: 2
All phone companies will only be too happy to mail you a phone book for any city they cover.

Will it happen?
By FangedRabbit on 11/3/2011 4:36:20 PM , Rating: 2
Remember remember the 5th of November...

RE: Will it happen?
By priusone on 11/4/2011 2:45:51 AM , Rating: 3
When it happens, my friends and I will have a blast.

In reality, stupid people can and should be abused. Paying $3 to use an ATM. Paying $5 for a fofo coffee, etc. I say rob them blind.

RE: Will it happen?
By Dr of crap on 11/4/2011 8:57:49 AM , Rating: 1
Great post!!! +6

RE: Will it happen?
By vazili on 11/4/2011 8:19:19 AM , Rating: 2
A Catholic theocracy?? I sure hope not

By Meinolf on 11/3/2011 3:46:12 PM , Rating: 3
has never been secure

Botherders wear skimasks!
By Mr Perfect on 11/4/2011 12:39:15 PM , Rating: 3
This is almost totally off topic here, but I think it's hilarious that the illustration shows the botherder wearing a skimask while using his PC.

The irony is hilarious...
By quiksilvr on 11/3/2011 2:41:42 PM , Rating: 2
Who's complaining?
By EricMartello on 11/6/2011 2:49:07 PM , Rating: 2
Did you really thing that 11-rated "hottie" had a genuine interest you fat, flabby a$$? No...but at least the bot will talk to you, and since your only other 'friend' is the A.I. personal assistant living in your dumbphone, why would you not want more bot buddies? This isn't a problem. Bots need friends too.

Data, Data, Data.
By Adam M on 11/14/2011 6:40:59 PM , Rating: 2
I think this is pretty funny. How does Facebook exist? It sells the data it "mines" from it users. What are the Social Bots doing? Mining Data from Facebook users. This begs the questions... Does Facebook employ the Bot Herders to mine for them or should the Herders just pay for the data Facebook has already mined and done the work for?

Gee I whish I was on Face book -
By Dr of crap on 11/4/2011 8:56:02 AM , Rating: 1
then I could have my ID stolen and everyone could see what I do everyday and I could... yea that's why I'm not on Facebook!

It like those Toyota comercials where the kids are at home on the PC and the parents out biking, and at the beach, and being OUTDOORS and not getting a bigger wasteband!

Guess I have to much other stuff to do then be on Facebook every 10 minutes!

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki