Nelson Novaes Neto, a Brazilian security expert has worked out a way to “friend” anyone using social network Facebook.
Nelson Novaes Neto showed at the Silver Bullet information security conference in Sao Paulo how he managed to convince a target – another web security expert called “SecGirl” – to add the fake profile he set up as a friend.
Being “friended” on Facebook not only leaves you open to spam – but often reveals details that could be used in identity theft attacks.
The expert’s research found that up to 80% of people would freely hand over crucial information such as a mother’s maiden name to “friends” on Facebook.
How this could happen? Creating another “cloned” Facebook account of someone that the security expert already knew on Facebook.
Many people have “culls” of friends every so often, so the idea that someone might be asking again isn’t so implausible.
Nelson Novaes Neto created a fake account in the name of a manager of his target – an unnamed security expert.
He began by creating a fake Facebook profile of someone that his intended target “SecGirl” trusted – in this instance, her boss.
Nelson Novaes Neto then sent her a friend request and set about making the fake profile look legitimate.
Firstly, he sent friend requests to friends of friends of the boss from the cloned account – 432 in total.
Within one hour, 24 requests were accepted – even though almost all of them had the boss already added as a friend.
Nelson Novaes Neto then sent friend requests to 436 direct friends of the boss – he was accepted by a further 14 people within an hour.
After just seven hours, his cloned account’s friend request was accepted by the person he originally wanted to have access to, SecGirl.
The target was also conned into accepting a friend request of someone she was already friends with.
The implications of this manipulation of web privacy are huge.
“Once you have made friends with someone on Facebook,” Nelson Novaes Neto said, “it is possible to take over their account, by using the <<three trusted friends>> password recovery feature.”
One this is achieved, all it takes to have complete control of a Facebook account is changing the password and contact email address.
Nelson Novaes Neto said his experiment showed how criminals could use creativity on the web to hack accounts for illegal activity.
Nelson Novaes Neto told Brazilian newspaper UOL Noticias: “Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility.”
A Facebook spokesman told arstechnica.com that the experiment was a violation of the social network’s privacy policies.