A team of security researchers have created a tool called “Facebook Pwn” which could be used to acquire profile data that would have otherwise been accessible only to those on the user’s friend list. One of its developers call it a ‘Facebook Profile Dumper”, and the implications for its use are downright disturbing.
Basically, what the attacker needs to do in order to use the tool is merely to create a new Facebook account and choose a target. The tool will then proceed to befriend all those in the target’s friend list. Once done, the tool will then ‘clone’ one of the users’ friends, chosen by the attacker, and copy the said friend’s profile picture and name.
Only then will the tool send a friend request to the main target’s account. With a familiar name and a familiar picture, as well as a host of mutual friends, the target is much more likely to approve the friend request.
The tool will then begin to download all possible content from the victim’s profile, including personal data, pictures, tags, posts, and more. Even if the user notices that the account was fake and unfriends the account after a short while, it will be ineffectual because the tool will have already gotten what the attacker needs.
The tool is currently up for download and will no doubt be abused by scammers as it makes social engineering much easier. The developers said that Facebook Pwn was merely a ‘proof of concept’ and added the disclaimer that it should be used only at one’s own risk and added a reminder that it should not be ‘abused’. Ahmed Saafan, one of those behind Facebook Pwn, claims that their goal for releasing such a tool is to make people realize the implications of their actions online. Saafan claims that accepting friend requests without manually verifying the person’s identity is an example of ‘wrong actions’ that people do online.
Saafan also hopes that their tool will catch the attention of Facebook and make the site realize the shortcomings of its verification process. “From Facebook’s perspective, I think Facebook should have a more strict policy for verifying that people are who they claim to be, and filter out fake or impersonating accounts”, wrote Saafan.
Still, though it was with good intentions that they released the tool, the risk in which Facebook Pwn puts regular Facebook users is undeniable. Attackers can use the info they find through this tool to make phishing attempts more effective, and that’s not even the worst of it. The only defense that we can reaaly have is to be extra vigilant about whom we add as friends.