Researchers steal Facebook user data with army of socialbots

By Lee Kaelin on November 2, 2011, 1:30 PM

Researchers at the University of British Columbia, Vancouver used a small array of scripts programmed to pass themselves off as real people to steal 250GB of personal information from Facebook users in just eight weeks.

They created 102 "socialbots" as part of a study on social network security, which included a name and picture of a fictitious person, and used programming interfaces from iheartquotes.com to embed pseudo-random quotes into status updates. They also used Facebook interfaces to send friend requests to around 5,000 randomly chosen profiles.

In order not to flag fraud detection systems they limited friendship requests to around 25 per day, which within two weeks saw 976, or 19-percent of them accepted. They found that the more friendship requests that contained mutual friends the higher the percentage of being accepted.

The second round of friendship requests saw 2,079, 59-percent of the 3,517 sent requests accepted, and with further refinements they managed to achieve a success rate of around 80-percent in later rounds of friendship requests.

Once accepted, they sent friend requests to those that were friends of those new friends and so on, collecting every piece of information as they went, mostly from users sharing personal information with friends only.

Facebook employs a defence known as Facebook Immune System designed to automatically flag fake profiles, but researchers found it did very little to contain the experiment. Only about 20-percent of them were stopped by the tool, mostly the result of feedback from users having read the fake profiles feeds and subsequently reporting them.

Facebook declined to comment when asked specifically about the results of the study by the Register, but the company did say: “We use a combination of three systems here to combat attacks like this – friend request and fake account classifiers, and rate-limiting techniques. These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity.”

Facebook users are reminded only accept friendship requests from people they know and trust. The study will present its findings (PDF) at next month's Annual Computer Security Applications Conference in Orlando, Florida.




User Comments: 14

Got something to say? Post a comment
example1013 said:

Well, color me surprised.

Guest said:

"We use a combination of three systems here to combat attacks like this - friend request and fake account classifiers, and rate-limiting techniques. These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity."

I believe you,ignore the rest of the article

Guest said:

OH NOES!!!!!!!!!!!!! they have my useless info!!!! what will i ever do?????

Cota Cota said:

The real weakness in here is the people wanting to have more "friends", else just check your "friends list on any social network, i bet that most of the people have at least 1 person who they don't really know at all!

TomSEA TomSEA, TechSpot Chancellor, said:

I wonder how much the Facebook games tie into this. I don't play them myself, but from what I understand, the more friends you have, the more items you get in your game. So people accept friend requests from anyone just to build up their game numbers. There's a lady in our office who plays 2-3 of the Facebook games and has over 700 friends. But really only personally knows maybe 30 of them. She could care less about their personal info - and as soon as she accepts some stranger as a friend to build up her gaming stats, immediately blocks their posts from her view.

fimbles fimbles said:

Quote "and with further refinements they managed to achieve a success rate of around 80-percent in later rounds of friendship requests"

Im guessing most facebook users must be either vain, stupid, or lonely to produce such a staggering figure.

RH00D RH00D said:

I'm not "best friends" with everyone on my Facebook friends list but I do know they are real people and I was friends with them at one point in my life if they are on my friends list. The reason people's privacy gets exposed so badly is mostly just because of their own lack of common sense. I'm not saying that's the only reason, just the biggest reason.

Mindwraith said:

oh no! an evil corperation now knows my favorite colour and tv shows, we're doooooomed!

NTAPRO NTAPRO said:

lol I've tried to tell people about this...

DanUK DanUK said:

Guest said:

OH NOES!!!!!!!!!!!!! they have my useless info!!!! what will i ever do?????

While it may not be a big deal for you.. looking at some of my friends profiles, they put like all of their personal details on there. $ waiting to be farmed.

caravel said:

The wolves enter the fold...

Guest said:

Facebook data poorly secured, nothing new here, move along...

lipe123 said:

Guest said:

Facebook data poorly secured, nothing new here, move along...

It doesnt matter if the data required a retinal scan and a 5million bit encryption key to access if you just open the door to strangers.

Don't blame facebook because its users are so stupid that they just accept friend requests from anything and anyone.

Guest said:

Just don't put any information on your profile. Your friends should know who you are anyways. Besides, facebook sells this info to ad companies.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.