Contributions to Proceedings:
M. Balduzzi, Ch. Platzer, T. Holz, E. Kirda, D. Balzarotti, Ch. Krügel:
"Abusing Social Networks for Automated User Profiling";
in: "Recent Advances in Intrusion Detection (RAID 2010)",
Recently, social networks such as Facebook have experienced a huge
surge in popularity. The amount of personal information stored on these sites calls
for appropriate security precautions to protect this data.
In this paper, we describe how we are able to take advantage of a common weak-
ness, namely the fact that an attacker can query popular social networks for reg-
istered e-mail addresses on a large scale. Starting with a list of about 10.4 million
email addresses, we were able to automatically identify more than 1.2 million
user proﬁles associated with these addresses. By automatically crawling and cor-
relating these proﬁles, we collect detailed personal information about each user,
which we use for automated proﬁling (i.e., to enrich the information available
from each user). Having access to such information would allow an attacker to
launch sophisticated, targeted attacks, or to improve the efﬁciency of spam cam-
paigns. We have contacted the most popular providers, who acknowledged the
threat and are currently implementing our proposed countermeasures. Facebook
and XING, in particular, have recently ﬁxed the problem.
Electronic version of the publication:
Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats
Created from the Publication Database of the Vienna University of Technology.