Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data.
In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user).
Finally, we propose a number of mitigation techniques to protect the user’s privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook in particular fixed the problem in November 2009.