Researchers infiltrate Facebook with bot accounts, make off with 250GB of user information

Mike Wehner, Tecca
Technology News Blog

Facebook and privacy concerns go together like peanut butter and jelly, and a new study, by the University of British Columbia Vancouver (UBC) illustrates that the users may be at fault, instead of the social network. Using a virtual army of fake bot accounts, researchers were able to steal roughly 250GB worth of personal information that could potentially be used for a number of nefarious purposes.

The experiment started with the creation of 102 fake Facebook personas. To flesh out the false identities, the UBC team created an automated program that populated the profiles with names, pictures, and randomized status updates. UBC then set to work adding friends, and despite not being actual people, some bots were able to corral up to 90 social network buddies. The bots were given photos of attractive individuals from the looks rating site Hot or Not to raise the chances of successful friending.

Once the bots had made a connection with the real-life Facebook users, the personal information was ready for harvesting. In all, only 20% of the false profiles were flagged by Facebook's verification system as being a risk, while the rest of the bots continued to gather private data. The victims in this case are safe, as their personal information will not be used for any wrongdoing, but others might not be so lucky.

The researchers believe it's feasible for one person to launch a similar bot attack on their own, yielding a bounty of tasty identity tidbits for fraudulent purposes. The only real way to be safe from such low-key scam is to only friend people you know and have had positive interactions with. I know it's tempting to click "confirm" on a friend request from a cute blonde or a guy with six-pack abs, but behind that false shell you may find someone looking to steal your identity.

Update: We have a response from a Facebook spokesperson regarding UBC's experiment:

"We use a combination of three systems here to combat attacks like this — friend request and fake account classifiers, rate-limiting techniques and anti-scraping technology. These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks. We use credible research as part of that process. We have serious concerns about the methodology of the research by the University of British Colombia and we will be putting these concerns to them. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site."


This article originally appeared on Tecca

More from Tecca: