Robots can easily pass as real users on Facebook, allowing them to befriend real humans and mine personal information such as birthdates, addresses and phone numbers, Canadian researchers have found.
Such information can be used for malicious purposes such as committing identity theft.
About a hundred Facebook profiles automatically generated by a computer program managed to "befriend" over 3,000 users over eight weeks, reports a University of British Columbia study being presented in December at the Computer Security Applications Conference in Orlando, Fla. The fake profiles were used to collect personal information from about a million users, including "friends" and "friends-of-friends."
'Once we have five friends in common, people don't check anymore whether I am a real person or not.' —Matei Ripeanu, researcher
Matei Ripeanu, an associate professor in electrical and computer engineering at UBC who co-authored the paper, said his team has indications that similar automated networks are already at work on social networks such as Facebook.
"They are even for sale in various environments," he said in an interview.
Ripeanu added that the goal of the study was to understand the measures that could be taken to prevent that kind of infiltration and how to protect users against such entities.
What is a captcha?
Captchas are automated tests designed to distinguish real humans from automated systems on the internet. The test involves viewing a series distorted letters and numbers and then typing them into a box. Traditionally, humans have been much better at identifying such letters and numbers than computers.
In order to do that, they created a network of 102 socialbots controlled by a "bot master." The fake Facebook profiles were generated using images and other content, such as links, on the internet. The robots "friended" each other and posted links on their own and their friends' walls.
"They try to look like normal profiles," Ripeanu said.
The socialbots also sent friend requests to random Facebook users, who accepted their requests about 20 per cent of the time. Later, the socialbots targeted users who had friends in common with them. In those cases, their friend requests were accepted up to 80 per cent of the time.
"Once we have five friends in common, people don't check anymore whether I am a real person or not," Ripeanu said.
Yazan Boshmaf, a PhD student and the lead author on the paper, said in practice, the socialbots could collect anything that Facebook users could see on their friends' profiles, but focused on sensitive information such as names, birthdates, gender, email address, physical address and employer information.
The study found that if a socialbot sent 25 friend requests a day — few enough that they did not trigger security measures such as captchas — each one could collect an average of 175 new chunks of data per day, such as birth dates, school names and email addresses.
Boshmaf said the design of the experiment was approved by the university's ethics board. The collected information was strongly encrypted, anonymized and completely deleted after data analysis to protect the users' personal information.
The researcher said they informed Facebook of their study while it was ongoing and kept in touch regularly.
Facebook did not respond to a request from CBC News to comment about the study.
Facebook Immune System ineffective: researchers
While Facebook has a "Facebook Immune System" designed to protect users from malicious activities, it did not appear effective in detecting the socialbots used in the experiment, the researchers found.
Only 20 of the 102 profiles were blocked by Facebook over the course of the eight-week experiment. They were all "female" accounts and were blocked because Facebook users had flagged them as spam.
The researchers warned that fake accounts are one of the main vulnerabilities that could allow a person running a socialbot network to infiltrate a social network such as Facebook.
However, Ripeanu expressed sympathy for the challenge faced by companies such as Facebook.
"They don't have an easy job to do," he said. He noted that extra security measures such as captchas could stymie bots, but would "hurt their normal users as well" and discourage users from interacting as much on the social network.
Researchers had hoped to notify affected users
Ripeanu said the researchers hope to contact users that the socialbots had befriended on Facebook. They want to disclose the nature of the experiment and ask those users why they had decided to accept friend requests from strangers.
However, late last week, after the experiment started getting media attention, Facebook blocked 80 per cent of the socialbot accounts, he said, which will make contacting the affected users more difficult.
Graham Cluley, a senior technology consultant with the internet security company Sophos, wrote on the company's Naked Security blog that "Facebook's security team is unlikely to look kindly on people who conduct experiments" like the UBC study. He added that under Facebook's terms of service, people are not allowed to create fake profiles.
Facebook explicitly bans providing "false personal information" and using "automated means" to collect users' content or information.
However, Cluley said the study "certainly presents an interesting illustration of just how easy it would be to automate identity theft on Facebook."