Facebook securityFacebook is serious about its new Graph Search feature, which helps users of the social media site narrowly search for friends with common interests in a much more intuitive fashion than a Google search, for example. Founder Mark Zuckerberg had tagged Graph Search the third Facebook pillar, right alongside the site’s news feed and timeline. So why are security and privacy experts nervous? There’s some serious horsepower behind Graph Search, and there are users whose interests aren’t as benign as finding friends of friends in a particular location who happen to like country music, fine wine and yoga.

“This is basically a beautiful feature coming from a social engineering point of view,” said Christopher Hadnagy, owner of White Hat Defense and founder of social-engineer.com. “I see this as a benefit for social engineers because you’re giving them victims; they’re not guessing anymore. Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.”

Graph Search is in beta right now; Facebook users can sign up for access to the beta and requests are usually fulfilled within a week. Once it’s rolled out in full force, phishers and spammers may have one more tool to refine their target lists. A sample search by Threatpost for engineers who work at Apple Computer returned several dozen results of people who indicated on their profiles they worked at Apple. An attacker can take that initial list and refine searches further as they choose.

“Think about the implications if you’re an attacker targeting a Fortune 500 company,” Hadnagy said. “You can take that list, refine it and find out people who like to eat here, or have a particular hobby and perform multiple attacks against a company by refining the victim list and develop phishing, phone or other attacks based on the interests of those people.”

Facebook representative Fred Wolens had no comment when asked by Threatpost about the concerns of experts and whether the implications on phishing and spam attacks were considered during development of the feature. He did confirm that users will have no way to opt out of search.

“But you can influence what others can see about you by controlling with whom and what you share with on Facebook—including profile information, posts, and photos,” Wolens said. “For photos or posts of you that have been uploaded by others, you can ask that they be removed from Facebook entirely, or you can untag yourself.”

Wolens said the decision to refine search capabilities to such a degree was based on user feedback that they expect a better search experience on Facebook.

“People put so much into Facebook, but until now there have been very limited ways to access this information,” Wolens said. “Graph Search allows you to select the content you want to view on Facebook.”

Lance Spitzner, a SANS Institute instructor and security training and awareness specialist, concurs that Graph Search has limitless potential for phishers and even possibly nation state attackers who target particular individuals and organizations. The key is for users to understand the implications of sharing particular personal information on any social media outlet.

“In general, most people are good. They do not think about that small population of bad people who want to hurt them,” Spitzner said. “In addition they do not realize just how much information they are posting. They only post little bits at a time. Each bit by itself is not harmful, but when put together you have the completed puzzle. If people understood the entire puzzle, and the bad guys who will take advantage of that information, I think their attitude would change. It really comes down to awareness, or lack thereof.”

Compounding the risk is that fact that Facebook—and other social media—act as authentication into other online services. Peoples’ inherent trust in the platform leads them to share more personal data and further enrich the environment for cybercriminals mining information on victims.

“This is another arrow in the quiver. Is it a better or worse arrow, I’m not sure yet,” Hadnagy said. “Facebook has millions of users and people are adamant about putting lives on Facebook; pictures, checking in from different locations, etc. When looking at the quantity of people doing that, and you add a tool that allows them to search that data for anything, this is one of the better arrows in the quiver.”

Facebook’s Wolens said all new features go through a “rigorous” code review process; engineers upon being hired go through six weeks of boot camp training that includes privacy and security. Products have to pass muster with product security, security engineering and other internal Facebook development teams, Wolens said, as well as third-party penetration testers. The same, he said, goes for privacy.

“Products are built with privacy in mind from the ground up, and Graph Search went through our rigorous privacy review process, just like every new product or feature that we launch,” Wolens said. “This process includes our Privacy (incl. CPOs), Legal, Security and numerous other departments. Graph Search respects all existing [user] privacy settings.”

Hadnagy, meanwhile, suggests that users use some critical thinking when they’re posting personal information to Facebook.

“This is how bad guys get to you and hack you,” Hadnagy said. “Is it Facebook’s fault? Partly, but they’re just feeding the desire people have. Users need to be educated to the dangers of these things.”

Categories: Uncategorized

Comments (11)

  1. CopyCat

    We urgently need new law which gives natural and legal persons automatic copyright and possibly other protection for all their personal data including images, audio etc. This would be bitterly contested by vested interests such as Facebook and by the ‘freedom of information’ cranks. Facebook et al will have to find some alternative for making their data available in such a way that it cannot be used outside a particular group. There is no immediately obvious way to do that, but the Apollo Moon landings were impossible until they happened.

  2. Anonymous

    Not good.  They say they have security and privacy in mind, but then they put the owness on the user to lock everything down.  Bogus, irresponsible policy.  I’m sure they couldn’t care less of at FB.

  3. Anonymous

    Just goes to show.  We are simply a comodity for Facebook to make money off of.  It really isnt surprising when you think about it this way.

  4. kalpanaceo

    Informatics Outsourcing is an Offshore Data Management service company. Data Management Service includes all types of Data Conversion, File Conversion, XML Conversion, HTML Conversion,SGML Conversion, Document Conversion,Data Entry, Data Extraction and Validation,OCR and ICR Services with affordable price. Our team to give the solution quickly and given requirements.

  5. Anonymous

    For those who are upset about your data being sold or whatever. Just don’t participate on the Facebook ban-wagon. Are we all just going to stop coming out of our houses because bad things happen outside? No matter what you do you cannot escape any of this!

  6. Anonymous


    I hear the same argument made by drug dealers all the time-“Why do you blame us? We’re just filling a need-people want this, if they didn’t, we wouldn’t be here (and there’s a LOT of money in it).” Not an apt comparison? If you think there are no Facebook addicts you don’t know Facebook.

  7. Anonymous

    “For photos or posts of you that have been uploaded by others, you can ask that they be removed from Facebook entirely, or you can untag yourself.”

    Yeah, because Aunt Millie’s an expert on photo untagging.  Yet another forced opt-out scheme.  And people wonder why I have no details in my FB profile.

  8. Anonymous

    An obvious way to circumvent this, if people were of the same mind (ha-ha) is to post bogus information.  If everyone did that, the commercial value of the information would be zip.

Comments are closed.