If you're one of the billions of users currently registered on the social networking website Facebook, your privacy could be in question. Researchers from the University of Pittsburgh say privacy settings do little to deter hackers from accessing private information, thanks to Facebook's "mutual-friends" feature.

"It is important to understand all possible privacy threats to users of social networking sites so that appropriate mechanisms can be developed," said lead researcher James Joshi, Ph.D., associate professor in the Pittsburgh School of Information Sciences.

"This work of ours is an effort to comprehensively understand such threats related to the mutual-friend feature so that appropriate measures can be taken."

Joshi, along with fellow researchers Mohd Anwar and Lei Jin from University of Pittsburgh, used a publicly shared Facebook dataset that included 63,731 users from the New Orleans area.

The research team identified three types of attacks that could occur due to loose privacy settings:

1. "Friend exposure attack" - how many private friends could be found through one user.

2. "Distant neighbor exposure attack" - how many friends of friends (two degrees of separation) can be found through a single user.

3. "Hybrid attack" - how many private friends and friends of friends can be found.

Researchers used computer simulation to test 10 randomly assigned user groups with Facebook friends lists ranging between 500 and 5000 friends. Results of their analysis showed that an attacker could acquire basic information from over 60 percent of a single user's private friends and 67 percent from friends of friends.

"Being able to see mutual friends may allow one to find out important and private social connections of a targeted user," Joshi explained.

"An attacker can infer such information as political affiliations or private information that could be socially embarrassing. More importantly, the information that's gathered could be used, in combination with other background information about the targeted user, to create false identities that appear even more authentic than the actual user."

Joshi and his colleagues advocate improving the privacy protection settings on Facebook while making them easier to use. When settings are too complicated, users tend to ignore them altogether, leaving their Facebook page vulnerable to a hacker.

"Oftentimes, mutual-friends features have not been created in tandem with privacy setting designs, and inadequate thought with regards to security and privacy issues has been given," Joshi added.

"With such a huge user base in such systems, a minor privacy breach can have a significant impact."

To access this study, visit the April 22 edition of the online journal Computers & Security.


Joshi J, Anwar M, Jun L. Mutual-friend Based attacks in Social Network Systems. Computers & Security. 2013