Exploiting Facebook data for stealing your friends’ digital identities
All information shared are for educational purposes only. Use these at your own discretion and remember: you are responsible for any damages caused.
The views expressed in this article are my own and do not necessarily reflect the view of other people.
To all the script kiddies out there: I won’t release any plug-and-play script, sorry.
Bad days for Facebook, uh?
This month, both Guardian and New York Times put Facebook in probably the biggest scandal in terms of trust and privacy. Anyway, long story short, Facebook exposed data on 50 million Facebook unaware users to a researcher who worked at Cambridge Analytica, which worked for the Trump campaign. But what it sounds scarier is how Cambridge Analytica got these massive data: it seems that, and I quote the New York Times, “Cambridge paid to acquire the personal information through an outside researcher who, Facebook says, claimed to be collecting it for academic purposes”.
After this scandal, a lot of people start to get a little bit more paranoid and start questioning how effectively Facebook handle their data and for what purposes. Online newspapers and magazines didn’t wait too much and start publishing articles as follow:
So, I decided to do my homework: I wanna see what kind of information Facebook know about me.
1) Request and download my Facebook data
This process is very straightforward: once I was logged in, I went to “Settings” and clicked the “Download a copy of your Facebook data” button. Doing that, you will send to Facebook a request for your data and after some minutes (< 15 min. in my case) you’ll receive a notification and your files are ready to download.
Let’s examine them.
The file I received was a “.zip” file (350 MB, more or less), I extracted it and opened the “index.htm” file.
This is how it looked like:
As you can see, it’s full of well-categorized information that you can easily search through the side menu: media contents, messages, applications used, and more.
That’s a lot of data, ain’t it?
Some bad things: I found on Twitter some users that claim to also have received back scary data has shown below (this story also appears on The Hacker News when I was writing this post):
Yes, that’s crazy but fortunately it wasn’t my case, I didn’t found any data regarding my phone calls or my SMS sent or received.
“It seems that in older versions of Android when permissions were a lot less strict, the Facebook app took away contact permission at the time of installation that allowed the company access to call and message data automatically.” (The Hacker News)
Besides that, a specific category caught my attention: the Contact Info.
The title of this category is self-explained and in fact, I was able to retrieve the complete list of my Facebook friends with a huge list of my phone’s contacts, containing also old numbers that I don’t have anymore. It could be useful as a personal back-up, but I didn’t get why a lot of my contact has also their personal email address associated with it.
I’m also sure that all of these emails come directly from Facebook and not from my phone’s contact list: I checked every single email and I found on my phone less than 5% of these contacts. So, they came from Facebook.
In fact, Facebook gives you the opportunity to share your email addresses with:
- just your friends
For most people sharing their personal emails is not an issue, I mean, that’s only an email address, right?
Here’s when my “blackhat personality” came out.
2) Collecting info and start having fun
I wrote down a script to crawl the HTML page and extract all the emails inside it: I was able to find 585 unique emails.
A note for the readers: more than one email found could point to a single individual (also the “secondary email” can be exposed from Facebook).
After that, I decided to check if some of these emails were been compromised in a previous data breach with the help of haveibeenpwned API. I wrote a simple Python script that can automatically do this check for me.
Some results that I found:
- Unique emails: 585
- Found on public breaches: 310
- Not found in public breaches: 275
So, more than 50% of my emails contacts were been already compromised in a previous data breach (or in more than one). Ok, it will be fun.
This is the list of major breaches involved in descending order:
- Adobe: 83
- Myspace: 82
- Dropbox: 34
- LinkedIn: 19
- Dailymotion: 17
At this point, let’s go more deeply and start searching for the passwords. I mean, these breaches are public, right? So the passwords need to be somewhere out there.
3) Passwords, passwords, passwords…
Three months ago on r/pwned subreddit appears what was seemed to be the largest aggregate database found in the dark web to date: these files are well organized and contain 1.4 billion clear text credentials and it was 41GB. The data is structured in an alphabetic directory tree fragmented in 1,981 pieces to allow fast searches.
If you need more details about this database check this Medium post. And if you questioning yourself about how to download it, I won’t provide any sources or “howto” guide, sorry.
I transferred it to an external drive and write another Python script to search through it, in order to find some passwords previously compromised. Once again, this script was very simple:
It takes me 15 minutes, more or less, to process all the email addresses found on my Facebook data but it worth the effort: 451 unique pairs of email/password have been found. ¯\_(ツ)_/¯
Since some email addresses were found on multiple data breaches, the number of passwords found was greater than the number of emails searched (310 email addresses returned me 451 unique passwords).
I notify a couple of friends about what I found and they admit to me: those passwords found are still used on other platforms. The following picture shows a conversation with a friend of mine about his passwords that I found (we’re both Italians):
4) Conclusions and open points
- Avoid sharing personal emails, if not necessary and remember: Facebook is not a safe place for sharing them.
- Password reusing is a real-life risk. Just stop to use the same simple password everywhere.
- Learn about 2FA and how to enable (where available).
- Password managers are not largely-adopted yet, we need to deal with this but you can make the difference and give it a try. There’s a lot of alternative out there (there are both free and paid alternatives).