Nelson Novaes Neto showed at the Silver Bullet information security conference in Sao Paulo how he managed to convince a target – another web security expert called “SecGirl” – to add the fake profile he set up as a friend.
Being “friended” on Facebook not only leaves you open to spam – but often reveals details that could be used in identity theft attacks.
How this could happen? Creating another “cloned” Facebook account of someone that the security expert already knew on Facebook.
Many people have “culls” of friends every so often, so the idea that someone might be asking again isn’t so implausible.
Nelson Novaes Neto created a fake account in the name of a manager of his target – an unnamed security expert.
He began by creating a fake Facebook profile of someone that his intended target “SecGirl” trusted – in this instance, her boss.
Nelson Novaes Neto then sent her a friend request and set about making the fake profile look legitimate.
Firstly, he sent friend requests to friends of friends of the boss from the cloned account – 432 in total.
Within one hour, 24 requests were accepted – even though almost all of them had the boss already added as a friend.
After just seven hours, his cloned account’s friend request was accepted by the person he originally wanted to have access to, SecGirl.
The target was also conned into accepting a friend request of someone she was already friends with.
The implications of this manipulation of web privacy are huge.
“Once you have made friends with someone on Facebook,” Nelson Novaes Neto said, “it is possible to take over their account, by using the <<three trusted friends>> password recovery feature.”
One this is achieved, all it takes to have complete control of a Facebook account is changing the password and contact email address.
Nelson Novaes Neto said his experiment showed how criminals could use creativity on the web to hack accounts for illegal activity.
Nelson Novaes Neto told Brazilian newspaper UOL Noticias: “Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility.”
A Facebook spokesman told arstechnica.com that the experiment was a violation of the social network’s privacy policies.
Quincy Jones, the celebrated musician and producer who worked with Michael Jackson, Frank Sinatra, Ray…
Misleading allegations, rumours and outright lies about voting and fraud are flooding online spaces in…
At least 158 people have died in Spain's worst flooding disaster in generations. On October…
Google has been fined two undecillion (a two followed by 36 zeroes) roubles by a…
Embarking on a home remodel is an exciting journey, promising enhanced comfort, increased property value,…
The US presidential candidates continued to campaign across key swing states on October 20. Footage…