Online Social Networks (OSN) which can be defined as a online network that its primary goal is to have people “stay in touch with contacts,” are currently growing and are on the rise. As is the nature of OSNs, Personal Identifiable Information (PII) needs to be available to the service. PII can be defined as,
“Information which can be used to distinguish or trace an individual’s identity either alone or when combined which other public information that is linkable to a specific individual.” (Krishnamurthy, B. Wills, C. 2010)
Examples of PII could be a users Full Name, Birth Date, Email Address, Location (city or town), Phone Numbers, Photos of themselves, their activities and their interests. This information could be used for illicit uses such as identity theft. Because of this, OSNs need to take a serious look into securing their databases to make sure PII is not leaked in anyway. Unfortunately, most OSNs take that seriously. They leave known vulnerabilities un-patched, and even the users can be tricked into giving their PII. This essay looks into the current Computer Security issues of OSNs and the leakage of PII.
It is often thought that crackers find a small vulnerability in a website to take control of that website. But sometimes all it can take is a feature to turn into a vulnerability for crackers to break the OSN. In late 2009, DeviantART, an OSN targeted to artists, decided to include a ‘de-activation’ feature onto their website. This would allow users to publicly remove their account from the site. This was done for many reasons, such as changing their account name, stop attention ‘whores’ (those users who would say that they were leaving to gain attention, and then to comeback to the OSN the next week) or even to allow for people to quickly remove themselves from the site. The feature worked fine; all you needed to do was to click a button, enter your password, and you’re account was then closed. However, in December 2010, Silverpop Systems Inc., an advertising company that was working closely with DeviantART who shared personal details such as email addresses, and possibly usernames and birth dates, had their database cracked into and collected this PII. Soon after this, some new users of the site actively complained that their old account had been not only compromised, but deactivated and had to start a new account. Some of these users pleaded for their original accounts back, however, due to technical reasons, DeviantART staff could not meet that expectation. On January 5, 2011, the DeviantART staff changed the deactivation feature so that Staff could retrieve the accounts in a certain period before that account was removed from the site. This happened on the same day when two high profile users were almost deactivated by crackers.
The ‘deactivation system’ in this example is considered to be a Featurebility; either a vulnerability that is documented in the official documentation, or a feature that could be treated as a vulnerability in an certain situation, and is usually put in on purpose by the developer. In the presentation, ‘Satan is on my Friends list: Attacking Social Networks,’ researchers Nathan Hamiel and Shawn Moyer showed examples of these Featurebilities such as allowing HTML to be entered into user generated content, which could be used to create a Cross-site Request Forgery; a vulnerability from the 1990’s that allows specific malicious actions to happen when they are requested via HTML and CSS code. They said on these vulnerabilities that if these vulnerabilities are in the documentation of the APIs, then it is the developers fault for them not patching their own work.
Not only is the problem of the Featurebilities that arise because of OSN developers programming, the other problem is the sharing of “Personally identifiable information” (PII) by users of OSNs. According to Krishnamurthy et.al., in the 12 OSN’s that they studied, most OSNs had some pieces of PII available for anyone to see. Table 1 shows their results to that analysis to show the various availabilities of pieces of PII on those OSN’s. It is quite clear that although those pieces of PII that are widely available are almost considered to be public domain, that information is still quite important. For the information that is considered to be private but given to the OSN could be leaked out via an external application (such as a game) on an OSN, which could then send that information to somewhere outside of that OSN ecosystem. While this is a great way to leak PII to outside the OSN, it might not be the easiest way to gather PII.
Although I have discussed obtaining PII via technical means via OSNs, not all ways of obtaining PII are technical. In fact, it is probably more likely that the use Social Engineering to obtain this private data. Again in the presentation “Satan is on my Friends List,” Hamiel and Moyer showed how (with permission) they had impersonated Marcus Ranum, a well-known security professional in IT who is actively against OSNs, on an OSN for professionals, LinkedIn. Using only information from press releases, biographies and articles by Ranum, they were able to quickly create a profile to impersonate with. After that, to legitimise the profile, they tried to find “link-whores,” those who would actively go out and friend as many people as possible. These people were found via a simple Google search. within 12 hours, this persona had received over 40 connections, including people who work in the IT security industry, and would have heard Ranum speak about his opinion about OSNs. Also they joined various LinkedIn groups. This gave the persona enough creditability to attract other professionals known by Ranum, CSOs, and people who work for ISSA, which they without prompt, gave important PII such as their Phone Number and private email address, and information about upcoming projects they were working on. They even made a connection with his sister. This sharing of PII can happen not only to professionals, it can happen everyday on other OSNs.
On a popular OSN, Facebook, people share their PII in the public domain without them even noticing it. If you are on Facebook, you may notice a event or group occasionally calling for Mobile Phone Numbers, usually by a friend who’s profile has not been cracked into and they are genuinely is asking for their friends phone numbers. The problem is that these events and groups are usually set to it’s most public setting, which could be collected for malicious use. Tom Scott, a software developer, spent a few hours on creating a website application using the Facebook API to collect names and their phone numbers from these groups and events, and displayed them (without the last 4 digits) on his website. It is quite clear that this PII could be easily obtained by the user without the user realising it.
That being said, some researchers and developers are currently working on making OSNs more secure. Diaspora promises to be an OSN that is rid of any Privacy or the leaking of PII on their part, however when it was launched in an Alpha phase in 2010, numorus critics said that it was filled with Security holes and privacy issues. It is currently getting better, however some are still calling out for changes in the OSN backbone, as some of these areas have not been addressed. Some researchers have, however, worked on better ways to make these systems better. Researchers from the University of Illinois have worked on an encryption application to work on Facebook, that will encrypt and decrypt messages over Facebook. This would be good for a OSN such as Diaspora or Facebook. So far, from what I have read, it is not clear if anything like this would be used in OSNs.
As OSNs become more and more mainstream, it is quite clear that a lot of work needs to be done in the area of Security and in making sure that PII does not get leaked. However, as seen in the examples and case studies shown in this essay, it can be concluded that developers of OSNs are not thinking of these issues. Although some researchers are spending time on making OSNs more secure, it needs to be implemented in large OSNs. In reality, OSNs need to be more secure than what they are.
This was written by joshlama.
Links
Satan is on my Friends List (DefCon 16)
The Cross-Site Request Forgery (CSRF/XSRF) FAQ.
Facebook Users’ Phone Numbers Exposed by “Evil” App
Pondering Diaspora’s Security
Other references can be asked in the comments below