Hello, Facebook! Here is the Stalkers’ Paradise!: Design and analysis of enumeration attack using phone numbers on Facebook

Jinwoo Kim; Kuyju Kim; Junsung Cho; Hyoungshick Kim; Sebastian Schrittwieser

doi:10.1007/978-3-319-72359-4_41

Hello, Facebook! Here is the Stalkers’ Paradise! Design and analysis of enumeration attack using phone numbers on Facebook

Jinwoo Kim, Kuyju Kim, Junsung Cho, Hyoungshick Kim, Sebastian Schrittwieser

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

7 Scopus citations

Abstract

We introduce a new privacy issue on Facebook. We were motivated by the Facebook’s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users’ personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users’ search activities with three sybil accounts. Despite Facebook’s best efforts to stop such attempts from crawling users’ data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users’ personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users’ personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.

Original language	English
Title of host publication	Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings
Editors	Joseph K. Liu, Pierangela Samarati
Publisher	Springer Verlag
Pages	663-677
Number of pages	15
ISBN (Print)	9783319723587
DOIs	https://doi.org/10.1007/978-3-319-72359-4_41
State	Published - 2017
Event	13th International Conference on Information Security Practice and Experience, ISPEC 2017 - Melbourne, Australia Duration: 13 Dec 2017 → 15 Dec 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10701 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	13th International Conference on Information Security Practice and Experience, ISPEC 2017
Country/Territory	Australia
City	Melbourne
Period	13/12/17 → 15/12/17

Keywords

Enumeration attack
Facebook
Information leakage
Privacy
User profile

Access to Document

10.1007/978-3-319-72359-4_41

Cite this

Kim, J., Kim, K., Cho, J., Kim, H., & Schrittwieser, S. (2017). Hello, Facebook! Here is the Stalkers’ Paradise! Design and analysis of enumeration attack using phone numbers on Facebook. In J. K. Liu, & P. Samarati (Eds.), Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings (pp. 663-677). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10701 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-72359-4_41

Kim, Jinwoo ; Kim, Kuyju ; Cho, Junsung et al. / Hello, Facebook! Here is the Stalkers’ Paradise! Design and analysis of enumeration attack using phone numbers on Facebook. Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings. editor / Joseph K. Liu ; Pierangela Samarati. Springer Verlag, 2017. pp. 663-677 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{74f7edeed6da453b86dc939358559151,

title = "Hello, Facebook! Here is the Stalkers{\textquoteright} Paradise!: Design and analysis of enumeration attack using phone numbers on Facebook",

abstract = "We introduce a new privacy issue on Facebook. We were motivated by the Facebook{\textquoteright}s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users{\textquoteright} personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users{\textquoteright} search activities with three sybil accounts. Despite Facebook{\textquoteright}s best efforts to stop such attempts from crawling users{\textquoteright} data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users{\textquoteright} personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users{\textquoteright} personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.",

keywords = "Enumeration attack, Facebook, Information leakage, Privacy, User profile",

author = "Jinwoo Kim and Kuyju Kim and Junsung Cho and Hyoungshick Kim and Sebastian Schrittwieser",

note = "Publisher Copyright: {\textcopyright} 2017, Springer International Publishing AG.; 13th International Conference on Information Security Practice and Experience, ISPEC 2017 ; Conference date: 13-12-2017 Through 15-12-2017",

year = "2017",

doi = "10.1007/978-3-319-72359-4\_41",

language = "English",

isbn = "9783319723587",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "663--677",

editor = "Liu, \{Joseph K.\} and Pierangela Samarati",

booktitle = "Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings",

}

Kim, J, Kim, K, Cho, J, Kim, H & Schrittwieser, S 2017, Hello, Facebook! Here is the Stalkers’ Paradise! Design and analysis of enumeration attack using phone numbers on Facebook. in JK Liu & P Samarati (eds), Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10701 LNCS, Springer Verlag, pp. 663-677, 13th International Conference on Information Security Practice and Experience, ISPEC 2017, Melbourne, Australia, 13/12/17. https://doi.org/10.1007/978-3-319-72359-4_41

Hello, Facebook! Here is the Stalkers’ Paradise! Design and analysis of enumeration attack using phone numbers on Facebook. / Kim, Jinwoo; Kim, Kuyju; Cho, Junsung et al.
Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings. ed. / Joseph K. Liu; Pierangela Samarati. Springer Verlag, 2017. p. 663-677 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10701 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Hello, Facebook! Here is the Stalkers’ Paradise!

T2 - 13th International Conference on Information Security Practice and Experience, ISPEC 2017

AU - Kim, Jinwoo

AU - Kim, Kuyju

AU - Cho, Junsung

AU - Kim, Hyoungshick

AU - Schrittwieser, Sebastian

PY - 2017

Y1 - 2017

N2 - We introduce a new privacy issue on Facebook. We were motivated by the Facebook’s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users’ personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users’ search activities with three sybil accounts. Despite Facebook’s best efforts to stop such attempts from crawling users’ data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users’ personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users’ personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.

AB - We introduce a new privacy issue on Facebook. We were motivated by the Facebook’s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users’ personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users’ search activities with three sybil accounts. Despite Facebook’s best efforts to stop such attempts from crawling users’ data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users’ personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users’ personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.

KW - Enumeration attack

KW - Facebook

KW - Information leakage

KW - Privacy

KW - User profile

UR - https://www.scopus.com/pages/publications/85038095282

U2 - 10.1007/978-3-319-72359-4_41

DO - 10.1007/978-3-319-72359-4_41

M3 - Conference contribution

AN - SCOPUS:85038095282

SN - 9783319723587

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 663

EP - 677

BT - Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings

A2 - Liu, Joseph K.

A2 - Samarati, Pierangela

PB - Springer Verlag

Y2 - 13 December 2017 through 15 December 2017

ER -

Kim J, Kim K, Cho J, Kim H, Schrittwieser S. Hello, Facebook! Here is the Stalkers’ Paradise! Design and analysis of enumeration attack using phone numbers on Facebook. In Liu JK, Samarati P, editors, Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Proceedings. Springer Verlag. 2017. p. 663-677. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-72359-4_41