Abstract
We introduce a new privacy issue on Facebook. We were motivated by the Facebook’s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users’ personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users’ search activities with three sybil accounts. Despite Facebook’s best efforts to stop such attempts from crawling users’ data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users’ personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users’ personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Number of monthly active Facebook users worldwide as of 1st quarter 2017 (The Statistics Portal, statista). https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The Web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2014)
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18
Backstrom, L., Dwork, C., Kleinberg, J.: Wherefore art Thou R3579x?: anonymized social networks, hidden patterns, and structural steganography. In: Proceedings of the 16th International Conference on World Wide Web (2007)
Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 422–441. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_22
Bonneau, J., Anderson, J., Anderson, R., Stajano, F.: Eight friends are enough: social graph approximation via public listings. In: Proceedings of the 2nd ACM EuroSys Workshop on Social Network Systems (2009)
Bonneau, J., Anderson, J., Danezis, G.: Prying data out of a social network. In: Proceedings of the International Conference on Advances in Social Network Analysis and Mining (2009)
Gao, H., Hu, J., Wilson, C., Li, Z., Chen, Y., Zhao, B.Y.: Detecting and characterizing social spam campaigns. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement (2010)
Gross, R., Acquisti, A.: Information revelation and privacy in online social networks. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2005)
Halevi, T., Lewis, J., Memon, N.D.: Phishing, personality traits and Facebook. Social Science Research Network (2015)
Heatherly, R., Kantarcioglu, M., Thuraisingham, B.: Preventing private information inference attacks on social networks. IEEE Trans. Knowl. Data Eng. 25(8), 1849–1862 (2013)
Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2013)
Kim, E., Park, K., Kim, H., Song, J.: Design and analysis of enumeration attacks on finding friends with phone numbers: a case study with KakaoTalk. Comput. Secur. 52, 267–275 (2015)
Kim, H., Huh, J.H.: Detecting DNS-poisoning-based phishing attacks from their network performance characteristics. Electron. Lett. 47(11), 656–658 (2011)
Kim, H., Bonneau, J.: Privacy-enhanced public view for social graphs. In: Proceedings of the 2nd ACM Workshop on Social Web Search and Mining (2009)
Krishnamurthy, B., Wills, C.E.: Characterizing privacy in online social networks. In: Proceedings of the First Workshop on Online Social Networks (2008)
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: Proceedings of IEEE Symposium on Security and Privacy (2016)
Mahmood, S.: New privacy threats for Facebook and Twitter users. In: Proceedings of the 7th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (2012)
Mislove, A., Viswanath, B., Gummadi, K.P., Druschel, P.: You are who you know: inferring user profiles in online social networks. In: Proceedings of the 3rd ACM International Conference on Web Search and Data Mining (2010)
Olejnik, L., Castelluccia, C., Janc, A.: Why Johnny can’t browse in peace: on the uniqueness of web browsing history patterns. In: Proceedings of the 5th Workshop on Hot Topics in Privacy Enhancing Technologies (2012)
Schrittwieser, S., Kieseberg, P., Leithner, M., Mulazzani, M., Huber, M.: Guess who’s texting you? Evaluating the security of smartphone messaging applications. In: Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012)
Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)
Zheleva, E., Getoor, L.: To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles. In: Proceedings of the 18th International Conference on World Wide Web (2009)
Zhou, Z., Diao, W., Liu, X., Zhang, K.: Acoustic fingerprinting revisited: generate stable device ID stealthily with inaudible sound. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2014)
Acknowledgments
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (2017R1D1A1B03030627), and the MSIT (Ministry of Science and ICT), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2017-2015-0-00403) supervised by the IITP (Institute for Information & communications Technology Promotion). The financial support by the Austrian Federal Ministry of Science, Research and Economy and the National Foundation for Research, Technology and Development is gratefully acknowledged. The authors would like to thank all the anonymous reviewers for their valuable feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kim, J., Kim, K., Cho, J., Kim, H., Schrittwieser, S. (2017). Hello, Facebook! Here Is the Stalkers’ Paradise!: Design and Analysis of Enumeration Attack Using Phone Numbers on Facebook. In: Liu, J., Samarati, P. (eds) Information Security Practice and Experience. ISPEC 2017. Lecture Notes in Computer Science(), vol 10701. Springer, Cham. https://doi.org/10.1007/978-3-319-72359-4_41
Download citation
DOI: https://doi.org/10.1007/978-3-319-72359-4_41
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72358-7
Online ISBN: 978-3-319-72359-4
eBook Packages: Computer ScienceComputer Science (R0)