Nelson Novaes Neto showed at the Silver Bullet information security conference in Sao Paulo how he managed to convince a target – another web security expert called “SecGirl” – to add the fake profile he set up as a friend.
Being “friended” on Facebook not only leaves you open to spam – but often reveals details that could be used in identity theft attacks.
How this could happen? Creating another “cloned” Facebook account of someone that the security expert already knew on Facebook.
Many people have “culls” of friends every so often, so the idea that someone might be asking again isn’t so implausible.
Nelson Novaes Neto created a fake account in the name of a manager of his target – an unnamed security expert.
He began by creating a fake Facebook profile of someone that his intended target “SecGirl” trusted – in this instance, her boss.
Nelson Novaes Neto then sent her a friend request and set about making the fake profile look legitimate.
Firstly, he sent friend requests to friends of friends of the boss from the cloned account – 432 in total.
Within one hour, 24 requests were accepted – even though almost all of them had the boss already added as a friend.
After just seven hours, his cloned account’s friend request was accepted by the person he originally wanted to have access to, SecGirl.
The target was also conned into accepting a friend request of someone she was already friends with.
The implications of this manipulation of web privacy are huge.
“Once you have made friends with someone on Facebook,” Nelson Novaes Neto said, “it is possible to take over their account, by using the <<three trusted friends>> password recovery feature.”
One this is achieved, all it takes to have complete control of a Facebook account is changing the password and contact email address.
Nelson Novaes Neto said his experiment showed how criminals could use creativity on the web to hack accounts for illegal activity.
Nelson Novaes Neto told Brazilian newspaper UOL Noticias: “Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility.”
A Facebook spokesman told arstechnica.com that the experiment was a violation of the social network’s privacy policies.
Image source: Wikimedia Commons President-elect Donald Trump celebrated his election victory at the Ultimate Fighting…
Millions of voters across the US chose to return Donald Trump to the White House…
Donald Trump declares victory in the US election as he addresses jubilant supporters in Florida.…
Stocks around the world are rising as Donald Trump appears to be on the cusp…
Donald Trump has won Pennsylvania, North Carolina and Georgia and taken a lead over Kamala…
Quincy Jones, the celebrated musician and producer who worked with Michael Jackson, Frank Sinatra, Ray…