Grad Student Exposes Vulnerabilities of Social Media

July 01, 2012

As social media expands in popularity, so, too, has the volume of personal information living on the Internet. Forensic sciences master candidate Regina Elwell researched the vulnerabilities of Facebook and other social networking websites. The result was the report “Social Engineering Attack Vectors Using Social Media.” Using readily available tools from the Internet, Elwell illustrated how criminals and identity thieves can mine data on Facebook pages—then use the information to their advantage.

The main purpose of her research was to highlight the ease in obtaining information that is deemed publicly available to users through security and privacy settings, but not made accessible to the general public. Elwell conducted her research for her master’s course in forensic sciences, taught by Professor Eva Vincze.

Elwell identified and analyzed four main types of Facebook hacking: phishing, malicious script scams, clickjacking, and session hijacking. Hacker tools with images—designed to deceive a user into sharing his or her personal information—ranged from a fake Facebook login screen to a page that promised to tell users, once a faulty script was reported, who had been stalking the profile.

Many Facebook users are familiar with these scams, which can also compromise the user’s “Facebook Friends.” Elwell’s research, however, illustrated how easily connections between the main user and each of the user’s “Friends” or “Friends of Friends” open exposure to private information on Facebook.

For example, many users know not to accept a Facebook Friend request from a stranger. But Elwell demonstrated that the hacker does not need to be a Facebook Friend of the main user in order to access private information. Depending on a user’s security and privacy settings, the hacker may only have to trick one of the user’s “Friends” into accepting a request.

“It is extraordinary the amount of information that users share with their ‘Friends’ and ‘Friends of Friends,’ exposing it freely to the ‘Public’ and the attacker,” Elwell said.

Elwell warned users to embrace basic security measures and appropriate privacy settings. She also strongly encouraged users to take responsibility for their personal information and to be discreet when deciding what is appropriate to share on the Internet.

“Social media sites can be an extremely valuable tool in such efforts as marketing and recruiting,” she said, “but it is imperative that appropriate privacy and security policies are established prior to use.”