Study shows how Facebook's mutual-friends feature creates security risks, privacy concerns

May 30, 2013
"Oftentimes, mutual-friends features have not been created in tandem with privacy setting designs, and inadequate thought with regards to security and privacy issues has been given," said James Joshi, principal investigator of the study and associate professor of information assurance and security in Pitt's School of Information Sciences. "With such a huge user base in such systems, a minor privacy breach can have a significant impact." Credit: University of Pittsburgh

The mutual-friends feature on social networks such as Facebook, which displays users' shared friendships, might not be so "friendly."

Often revered for bringing people together, the feature on actually creates myriad and according to a University of Pittsburgh study published in Computers & Security. The study demonstrates that even though users can tailor their settings, hackers can still find private information through mutual-friends features.

"Oftentimes, mutual-friends features have not been created in tandem with privacy setting designs, and inadequate thought with regards to security and privacy issues has been given," said James Joshi, principal investigator of the study and associate professor of information assurance and security in Pitt's School of Information Sciences. "With such a huge user base in such systems, a minor privacy breach can have a significant impact."

Together with his colleagues—Mohd Anwar, a former faculty member in Pitt's School of Information Sciences and now assistant professor at North Carolina A&T State University, and Lei Jin, a PhD candidate in Pitt's School of Information Sciences—Joshi examined three different types of attacks on social network users using an offline Facebook dataset containing 63,731 users from the New Orleans regional network. This dataset (chosen because it was open to the public) also included more than a million friend links.

Using computer simulation programs, the researchers first demonstrated a "friend exposure" attack, exploring how many private friends an "attacker" could find of a specific target user. The attacks were tested on 10 randomly chosen user groups with sizes ranging between 500 and 5,000 individuals, as well as sample groups that were computer generated based on shared interests across user profiles. The same process was used for the "distant neighbor exposure attack," through which the attacker's goal was to identify private distant neighbors from the initial target. These distant neighbors indicate users that are friends of friends of the target user (two degrees of separation) or even friends of friends of friends of the target user (three degrees of separation).

Finally, the team initiated a "hybrid attack," in which an attacker tried to identify both the target's private friends and distant neighbors.

They found that an attacker identified more than 60 percent of a target's private friends in the "mutual-friend based attack." Likewise, an attacker could find, on average, 67 percent of a target's private distant neighbors by using 100 compromised user accounts.

"Being able to see mutual may allow one to find out important and private social connections of a targeted user," said Joshi. "An attacker can infer such information as political affiliations or private information that could be socially embarrassing. More importantly, the information that's gathered could be used, in combination with other background information about the targeted user, to create false identities that appear even more authentic than the actual user."

"It is important to understand all possible privacy threats to users of sites so that appropriate mechanisms can be developed. This work of ours is an effort to comprehensively understand such threats related to the mutual-friend feature so that appropriate measures can be taken."

Joshi cites the need for better privacy-protection settings to mitigate the problem—but those that can also be easily navigated by .

Explore further: Fitbit to Schumer: We don't sell personal data

More information: The paper, "Mutual-friend Based attacks in Social Network Systems," was first published online April 22 in Computers & Security.

add to favorites email to friend print save as pdf

Related Stories

Wolfram Alpha expands Facebook analytics

Jan 25, 2013

(Phys.org)—Wolfram Alpha, the computational search engine has announced a major upgrade to its Personal Analytics for Facebook. Now instead of a few basic facts about a user's Facebook page, those who use the e ...

Facebook privacy flaw nailed at Lugano workshop

Mar 22, 2012

(PhysOrg.com) -- As if Facebook has not has enough invasion-of-privacy problems, a pair of researchers have come up with one more reason why Facebook cannot rest. Shah Mahmood and Yvo Desmedt, Chair of Information ...

Recommended for you

Fitbit to Schumer: We don't sell personal data

4 hours ago

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

9 hours ago

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

10 hours ago

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

10 hours ago

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

22 hours ago

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

Music site SoundCloud to start paying artists

Aug 21, 2014

SoundCloud said Thursday that it will start paying artists and record companies whose music is played on the popular streaming site, a move that will bring it in line with competitors such as YouTube and Spotify.

User comments : 0