HITB2011KUL - Attacking Privacy of Social Network Users

2012-02-05T00:00:00
ID VULNERLAB:425
Type vulnerlab
Reporter Marco ‘embyte’ Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for more then 8 years with international experiences in both industrial and academic fields. He worked as security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in south France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher. He has presented at well-known and high-profile conferences (Blackhat, OWASP AppSec, NDSS) and currently speaks five different languages. Being a Free Software sympathizer, in the year 2K, he cofounded the Bergamo Linux User Group and the University Laboratory of Applied Computing. In former times, he was an active member of several open-source projects and Italian hacking groups.
Modified 2012-02-05T00:00:00

Description

                                        
                                            Document Title:
===============
HITB2011KUL - Attacking Privacy of Social Network Users


References:
===========
Download:	http://www.vulnerability-lab.com/resources/videos/425.wmv
View: 		http://www.youtube.com/watch?v=xGuV0Om67n8



Release Date:
=============
2012-02-05


Vulnerability Laboratory ID (VL-ID):
====================================
425


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Event


Severity Level:
===============
Medium


Technical Details & Description:
================================
Social networks are some of the largest and fastest growing online services today. Facebook, for example, 
has been ranked as the second most visited site and has been reporting growth rates as high as 3% per week, 
with more than 500 million registered users. The amount of personal information stored on these networking 
sites calls for appropriate security precautions that are often inadequate or poorly implemented. Indeed, 
our research team recently discovered different vulnerabilities, shared among various social networking 
sites. that permit to access personal sensitive information for running spear phishing, targeted spamming 
or drive-by-download attacks.

In this talk, I present several novel attacks that target the privacy of social network users. For example, 
in the automated querying attack, someone can rapidly map million of registered users to their personal e-mail, 
which is normally considered private information and not directly revealed by the social network. In another 
attack, by leveraging the recommendation system, e.g. the Facebook’s friends-finder functionality, the attacker 
can easily collect thousands of friendships and get access to a large amount of personal data that normally is 
protected. To prove that these attacks constitute a real threat for social network users, we implemented and ran 
automated systems against ten different vulnerable sites, such as Facebook, Twitter and LinkedIN. The problems we 
identified have been acknowledged by some of the networking sites, which have adopted our countermeasures.

Finally, I will introduce Safebook, a decentralized authenticated social network that our lab recently designed 
with the scope of preserving the privacy of online users.


Credits & Authors:
==================
Marco ‘embyte’ Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for 
more then 8 years with international experiences in both industrial and academic fields. He worked as 
security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in 
south France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher.

He has presented at well-known and high-profile conferences (Blackhat, OWASP AppSec, NDSS) and currently 
speaks five different languages. Being a Free Software sympathizer, in the year 2K, he cofounded the 
Bergamo Linux User Group and the University Laboratory of Applied Computing. In former times, he was 
an active member of several open-source projects and Italian hacking groups.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory