Researchers at the University of British Columbia, Vancouver used a small array of scripts programmed to pass themselves off as real people to steal 250GB of personal information from Facebook users in just eight weeks.
They created 102 "socialbots" as part of a study on social network security, which included a name and picture of a fictitious person, and used programming interfaces from iheartquotes.com to embed pseudo-random quotes into status updates. They also used Facebook interfaces to send friend requests to around 5,000 randomly chosen profiles.
In order not to flag fraud detection systems they limited friendship requests to around 25 per day, which within two weeks saw 976, or 19-percent of them accepted. They found that the more friendship requests that contained mutual friends the higher the percentage of being accepted.
The second round of friendship requests saw 2,079, 59-percent of the 3,517 sent requests accepted, and with further refinements they managed to achieve a success rate of around 80-percent in later rounds of friendship requests.
Once accepted, they sent friend requests to those that were friends of those new friends and so on, collecting every piece of information as they went, mostly from users sharing personal information with friends only.
Facebook employs a defence known as Facebook Immune System designed to automatically flag fake profiles, but researchers found it did very little to contain the experiment. Only about 20-percent of them were stopped by the tool, mostly the result of feedback from users having read the fake profiles feeds and subsequently reporting them.
Facebook declined to comment when asked specifically about the results of the study by the Register, but the company did say: “We use a combination of three systems here to combat attacks like this – friend request and fake account classifiers, and rate-limiting techniques. These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity.”
Facebook users are reminded only accept friendship requests from people they know and trust. The study will present its findings (PDF) at next month's Annual Computer Security Applications Conference in Orlando, Florida.