The two experiments (Proof of Concept – Research Study) were presented at the Conference Silver Bullet. Both were used with the sole purpose of POC to demonstrate the fragility and privacy issues in the use of social networks. No information, interactions or any other private information from users have been copied. This is not a code vulnerability or Facebook’s problem.
Original Source (Portuguese version): http://tecnologia.uol.com.br/ultimas-noticias/redacao/2011/11/16/e-possivel-ficar-amigo-de-qualquer-um-no-facebook-em-ate-24-horas-alerta-especialista.jhtm
Most people have spent a great deal of their time cultivating their tens (of perhaps hundreds) of relationships that make up their contact list on Facebook. One theory, however, puts on permanent alert the premise of social networks: it is possible to befriend almost anyone on Facebook in less than 24 hours.
Figure 1 The researcher used as target a security specialist and her manager for the experiment
The technique is unusual and totally contrary to the terms of use of Facebook, but shows exactly how users can be manipulated. To prove his theory, the researcher in the field of online security and behavior Nelson Novaes has created an experiment through which he intended to befriend on Facebook a girl who worked with web security. For the purpose of the study, she was named SecGirl. The purpose of this experiment was to add SecGirl as a friend on Facebook in less than 24 hours. The result came earlier than expected: the specialist has managed to add SecGirl to his contact list in seven and a half hours.
To get closer to SecGirl, Novaes literally cloned the profile of someone very close to the girl: her manager. Using the clone profile, Novaes began to request the friendship from friends of friends of the manager. In just one hour, 24 of the 432 requests were accepted. The remarkable thing is that 96% of the people that accepted the friendship request had already added the true owner of the profile to their contact list (that is: they added the same person twice to their list, unaware of the false profile).
In the next hour, the researcher devoted himself to request the friendship from direct friends of the manager. Of the 436 requests, 14 people accepted the request made by the false profile – again, all these persons had already added the original profile to their contact lists and yet added the clone profile. In just over two hours, the manager accepted the friendship request made by the profile cloned by Novaes.
This fact would be crucial tor SecGirl’s decision of adding the profile cloned as friend seven and a half hours after the beginning of the experiment. The logic is as follows: if a user has so many mutual friends, you should befriend him/her – or else, he/she is somewhat part of your circle of friends, not a complete stranger. Therefore, you decide to add this person to your Facebook profile and he/she can access information that cannot be accessed by other people.
“People have simply ignored the threat posed by adding a profile without checking if this profile is true. New Technologies have loopholes, but it is up to the users to be aware of this type of flaw. Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility. There is no solution. We must make good use of the social network and we are alone in this task”, said Nelson Novaes to UOL Tecnologia.
Facebook and infidelity
The experiment has also revealed what Novaes considers a serious failure of privacy on Facebook. According to the researcher, the recent tool “Ticker” (currently available to only a few Facebook users), which displays updates from contacts in real time in the upper right corner, reveals more than the user expects, such as signs of infidelity. And such information cannot be excluded.
To prove his theory, Novaes created three fictitious profiles: one profile of a woman, another one of her husband and the third profile was of a mutual friend. The experiment, reproduced on video and posted on YouTube, shows that, even after the woman has chosen not to disclose the update notifications to anyone, not even to her husband, their mutual friend could see these notifications in real time in the “Ticker” (the profile of the woman’s husband does not have the “Ticker” enabled).
In the referred example, the woman would rather not tell her husband that she confirmed a friendship request from an ex-boyfriend, but such information is revealed to the mutual friend, who can see the confirmation in the “Ticker”.
“I don’t know if this is a failure or something intentionally done by Facebook. The fact is, by creating a Facebook account, the user automatically agrees with the terms and conditions established by Facebook, and these rules are subject to change at any time”, concludes Novaes, talking about the way Facebook works.
The researcher has contacted the social network’s administrators, but obtained no response concerning the “Ticker”.
More news about:
(BR) É possível ficar amigo de qualquer um no Facebook em até 24 horas, alerta especialista + Silver Buller Conference
Learn how you can remove the Facebook Ticker! #FAIL
(BR) Como remover o Ticker do meu Facebook?
Facebook´s Ticker: a powerful tool against your privacy
Facebook testing ‘Trusted Friends’ feature, the password unlock we hope you never have to use
How Facebook Ticker exposing your information and behavior without your knowledge
(BR) Nova função do Facebook ignora privacidade e expõe usuário
I hope so: Mark Zuckerberg admits “a bunch of mistakes” on Facebook blog and says company is “committed to being transparent.”
SBConference – Presentation (BR small version):
