Security researchers warn that the names listed in Facebook's people directory can be used to link the corresponding accounts to stolen email addresses and passwords already available on the Internet. According to a test performed at BitDefender, the info can be matched with a 87% accuracy.
A security researcher named Ron Bowes recently released a 2.8 GB database of names gathered from Facebook's people directory. This directory lists everyone who chose to keep their profile searchable, which is the default setting. Bowes explained the such a database of 100 million unique real life names, can be very useful for compiling lists of popular username variations to be used by brute force hacking toolsHowever, in a post on the Malware City blog, BitDefender's Sabina Datcu, reveals that Bowes' database of Facebook names can be used for far worse things. For example, matching Facebook profiles to lists of stolen passwords already leaked on the Internet.
"I didn’t use a specific script, but more of an intuitive-method which I will not explain here because of the obvious security issues that would ensue. By applying this method, I discovered lots of sites where 'warmhearted' anonyms posted all of the goodies: usernames, e-mail addresses and passwords," the BitDefender expert writes in an intentionally vague manner.
The sad reality is that such caches of information stolen via trojans or phishing schemes are not that hard to find on the Internet. And even if that data is old, chances are most of the affected people never found out that their passwords have been compromised.
Ms. Datcu was able to gather some 250,000 usernames/e-mails with associated passwords from various sources in this way. She names the so called online “collaboration tools” and blogs as the most generous Internet hosts in this matter.
And since a high percentage of people generate their email addresses or usernames from their real name, it wasn't too difficult to match a significant number of the Facebook profiles to the stolen data. "The results showed that in 87% (+/- 2%) of cases, the available information (username, which, in some cases is the same as the e-mail address, plus password) can be used in order to access the respective social network accounts. Pretty scary, isn’t it?," the researcher writes.
This is a very interesting experiment, but the used methodology raises some questions. It seems that in order to reach the final conclusion, the BitDefender researcher tested whether the stolen passwords actually work. This kind of action might qualify as unauthorized access, even if the intention was to outline potential security risks.
Whether this has legal implications or not, obviously depends on the legal framework in the country where the research was conducted. But, according to Carole Theriault, a senior security consultant at UK-based antivirus vendor Sophos, there is clearly an interesting ethical question here.
"If you are a researcher, and find usernames and passwords online, is it ethical to see whether they are active by trying one out? The motive behind the action seems key to me," Ms. Theriault wrote in an email to Softpedia. "If the motive is to warn the victims that their details are compromised or to highlight the problem to others, does the good outweigh the harm? If however, you use them in order to take advantage of the victim (financial gain, stealing Identity), it would of course be unethical, and in many countries, illegal," she concluded.
A security researcher named Ron Bowes recently released a 2.8 GB database of names gathered from Facebook's people directory. This directory lists everyone who chose to keep their profile searchable, which is the default setting. Bowes explained the such a database of 100 million unique real life names, can be very useful for compiling lists of popular username variations to be used by brute force hacking toolsHowever, in a post on the Malware City blog, BitDefender's Sabina Datcu, reveals that Bowes' database of Facebook names can be used for far worse things. For example, matching Facebook profiles to lists of stolen passwords already leaked on the Internet.
"I didn’t use a specific script, but more of an intuitive-method which I will not explain here because of the obvious security issues that would ensue. By applying this method, I discovered lots of sites where 'warmhearted' anonyms posted all of the goodies: usernames, e-mail addresses and passwords," the BitDefender expert writes in an intentionally vague manner.
The sad reality is that such caches of information stolen via trojans or phishing schemes are not that hard to find on the Internet. And even if that data is old, chances are most of the affected people never found out that their passwords have been compromised.
Ms. Datcu was able to gather some 250,000 usernames/e-mails with associated passwords from various sources in this way. She names the so called online “collaboration tools” and blogs as the most generous Internet hosts in this matter.
And since a high percentage of people generate their email addresses or usernames from their real name, it wasn't too difficult to match a significant number of the Facebook profiles to the stolen data. "The results showed that in 87% (+/- 2%) of cases, the available information (username, which, in some cases is the same as the e-mail address, plus password) can be used in order to access the respective social network accounts. Pretty scary, isn’t it?," the researcher writes.
This is a very interesting experiment, but the used methodology raises some questions. It seems that in order to reach the final conclusion, the BitDefender researcher tested whether the stolen passwords actually work. This kind of action might qualify as unauthorized access, even if the intention was to outline potential security risks.
Whether this has legal implications or not, obviously depends on the legal framework in the country where the research was conducted. But, according to Carole Theriault, a senior security consultant at UK-based antivirus vendor Sophos, there is clearly an interesting ethical question here.
"If you are a researcher, and find usernames and passwords online, is it ethical to see whether they are active by trying one out? The motive behind the action seems key to me," Ms. Theriault wrote in an email to Softpedia. "If the motive is to warn the victims that their details are compromised or to highlight the problem to others, does the good outweigh the harm? If however, you use them in order to take advantage of the victim (financial gain, stealing Identity), it would of course be unethical, and in many countries, illegal," she concluded.