When Facebook’s Graph Search feature came online, many privacy experts expressed concerns that the feature could be used by phishers to mine data from Facebook users. Trustwave, an online security company, recently created a script called “FBStalker” that has definitely proven that those fears were justified.
It started when an influential public figure in Hong Kong commissioned Trustwave to see if they could get his passwords. Through Facebook’s Graph Search, they were able to ascertain that his wife ran a pilates studio that was hiring. They sent a fake job application to her, and when she opened it, they were able to take her husband’s passwords. That led them to create the FBStalker script, which the company debuted this week at the Hack in the Box security conference in Kuala Lumpur.
The script works by searching for information like photos that two people are tagged in or comments they’ve made. It then uses that data to identify who a person associates with and where they have been, information that could potentially help the script’s runner to hack an individual. Most alarming of all, the script works no matter if an individual has locked down their profile or not. It exploits the entire web of a person’s online relationships, not just their individual profile, making it virtually impossible to stop.
“No one is going to turn back the tide of people posting things to Facebook that potentially could be valuable in somebody else’s hands,” said Jonathan Werrett, a managing consultant with Trustwave. “If you want to walk away with a lesson, the lesson is that even if you’re protecting yourself, what other people are doing with your information, your friendships, your comments and things like that can still be leaked.”