Exploiting Facebook data for stealing your friends’ digital identities

Mark Zuckerberg (Justin Sullivan/Getty Images)

DISCLAIMER

All information shared are for educational purposes only. Use these at your own discretion and remember: you are responsible for any damages caused.
The views expressed in this article are my own and do not necessarily reflect the view of other people.
To all the script kiddies out there: I won’t release any plug-and-play script, sorry.

INTRODUCTION

Bad days for Facebook, uh?

This month, both Guardian and New York Times put Facebook in probably the biggest scandal in terms of trust and privacy. Anyway, long story short, Facebook exposed data on 50 million Facebook unaware users to a researcher who worked at Cambridge Analytica, which worked for the Trump campaign. But what it sounds scarier is how Cambridge Analytica got these massive data: it seems that, and I quote the New York Times, “Cambridge paid to acquire the personal information through an outside researcher who, Facebook says, claimed to be collecting it for academic purposes”.

After this scandal, a lot of people start to get a little bit more paranoid and start questioning how effectively Facebook handle their data and for what purposes. Online newspapers and magazines didn’t wait too much and start publishing articles as follow:

Web press starting to inform the readers about how to download your Facebook data.

So, I decided to do my homework: I wanna see what kind of information Facebook know about me.


1) Request and download my Facebook data

This process is very straightforward: once I was logged in, I went to “Settings” and clicked the “Download a copy of your Facebook data” button. Doing that, you will send to Facebook a request for your data and after some minutes (< 15 min. in my case) you’ll receive a notification and your files are ready to download.

Let’s examine them.

Requesting a download of my personal Facebook data.

The file I received was a “.zip” file (350 MB, more or less), I extracted it and opened the “index.htm” file.

This is how it looked like:

My personal Facebook data.

As you can see, it’s full of well-categorized information that you can easily search through the side menu: media contents, messages, applications used, and more.

That’s a lot of data, ain’t it?

Some bad things: I found on Twitter some users that claim to also have received back scary data has shown below (this story also appears on The Hacker News when I was writing this post):

https://twitter.com/dylanmckaynz/status/976368845635035138

Yes, that’s crazy but fortunately it wasn’t my case, I didn’t found any data regarding my phone calls or my SMS sent or received.

“It seems that in older versions of Android when permissions were a lot less strict, the Facebook app took away contact permission at the time of installation that allowed the company access to call and message data automatically.” (The Hacker News)

Besides that, a specific category caught my attention: the Contact Info.

The title of this category is self-explained and in fact, I was able to retrieve the complete list of my Facebook friends with a huge list of my phone’s contacts, containing also old numbers that I don’t have anymore. It could be useful as a personal back-up, but I didn’t get why a lot of my contact has also their personal email address associated with it.

Facebook Contact Info page.

I’m also sure that all of these emails come directly from Facebook and not from my phone’s contact list: I checked every single email and I found on my phone less than 5% of these contacts. So, they came from Facebook.

In fact, Facebook gives you the opportunity to share your email addresses with:

  • everyone
  • just your friends
  • nobody

For most people sharing their personal emails is not an issue, I mean, that’s only an email address, right?

Here’s when my “blackhat personality” came out.


2) Collecting info and start having fun

I wrote down a script to crawl the HTML page and extract all the emails inside it: I was able to find 585 unique emails.

Some of the emails extracted
A note for the readers: more than one email found could point to a single individual (also the “secondary email” can be exposed from Facebook).

After that, I decided to check if some of these emails were been compromised in a previous data breach with the help of haveibeenpwned API. I wrote a simple Python script that can automatically do this check for me.

Querying haveibeenpwned API.

Some results that I found:

  • Unique emails: 585
  • Found on public breaches: 310
  • Not found in public breaches: 275

So, more than 50% of my emails contacts were been already compromised in a previous data breach (or in more than one). Ok, it will be fun.

This is the list of major breaches involved in descending order:

  • Adobe: 83
  • Myspace: 82
  • Dropbox: 34
  • LinkedIn: 19
  • Dailymotion: 17
  • etc…

At this point, let’s go more deeply and start searching for the passwords. I mean, these breaches are public, right? So the passwords need to be somewhere out there.


3) Passwords, passwords, passwords…

Three months ago on r/pwned subreddit appears what was seemed to be the largest aggregate database found in the dark web to date: these files are well organized and contain 1.4 billion clear text credentials and it was 41GB. The data is structured in an alphabetic directory tree fragmented in 1,981 pieces to allow fast searches.

Dump folders structure.
If you need more details about this database check this Medium post. And if you questioning yourself about how to download it, I won’t provide any sources or “howto” guide, sorry.

I transferred it to an external drive and write another Python script to search through it, in order to find some passwords previously compromised. Once again, this script was very simple:

Automating the passwords extraction in Python.

It takes me 15 minutes, more or less, to process all the email addresses found on my Facebook data but it worth the effort: 451 unique pairs of email/password have been found. ¯\_(ツ)_/¯

More than 400 unique pairs of username/password found.

Since some email addresses were found on multiple data breaches, the number of passwords found was greater than the number of emails searched (310 email addresses returned me 451 unique passwords).

I notify a couple of friends about what I found and they admit to me: those passwords found are still used on other platforms. The following picture shows a conversation with a friend of mine about his passwords that I found (we’re both Italians):

A friend of mine confirms that he’s still using a password that I found.

4) Conclusions and open points

  • Avoid sharing personal emails, if not necessary and remember: Facebook is not a safe place for sharing them.
  • Password reusing is a real-life risk. Just stop to use the same simple password everywhere.
  • Learn about 2FA and how to enable (where available).
  • Password managers are not largely-adopted yet, we need to deal with this but you can make the difference and give it a try. There’s a lot of alternative out there (there are both free and paid alternatives).

Thank you for reading it.

If you liked this post, give me back some claps.