Friend or Foe

The mutual-friends feature on social networks such as Facebook, which displays users’ shared friendships, might not be so “friendly.”

Often revered for bringing people together, the mutual-friends feature on Facebook actually creates myriad security risks and privacy concerns according to a University of Pittsburgh study. The study demonstrates that even though users can tailor their privacy settings, hackers can still find private information through mutual-friends features.

Using computer simulation programs and an offline Facebook dataset containing 63 731 users, the researchers first demonstrated a “friend exposure” attack, exploring how many private friends an “attacker” could find of a specific target user. The attacks were tested on 10 randomly chosen user groups with sizes ranging between 500 and 5 000 individuals, as well as sample groups that were computer generated based on shared interests across user profiles. The same process was used for the “distant neighbor exposure attack,” through which the attacker’s goal was to identify private distant neighbors from the initial target. These distant neighbors indicate users that are friends of friends of the target user (two degrees of separation) or even friends of friends of friends of the target user (three degrees of separation).

Finally, the team initiated a “hybrid attack,” in which an attacker tried to identify both the target’s private friends and distant neighbors.

They found that an attacker identified more than 60 percent of a target’s private friends in the “mutual-friend based attack.” Likewise, an attacker could find, on average, 67 percent of a target’s private distant neighbors by using 100 compromised user accounts.

The study shows the need for better privacy-protection settings to mitigate the problem — those that can also be easily navigated by users.

The paper, Mutual-friend Based attacks in Social Network Systems, was first published online April 22 in Computers & Security.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.