New Privacy Threats for Facebook and Twitter Users

With around 1 billion active users, Facebook and Twitter are two of the most famous social networking websites. One particular aspect of these social networks widely discussed in the news and heavily researched in academic circles is the privacy of their users. In this paper we introduce six new privacy leaks in Facebook and Twitter. First, we reveal how an attacker can map users email addresses to their real names using Facebook´s account recovery service. This mapping helps an attacker accumulate more information about the holder of an email address which could then be used to launch targeted spam attacks. Second, we introduce how an attacker can reconstruct the friend list of a victim on Facebook, even though that user´s privacy setting does not allow the attacker to explicitly view the victim´s friend list. Third, we show the additional privacy leaks due to the introduction of Facebook´s Timeline. Fourth, we show how the unprecedented connectivity offered by social plugins breaches a user´s privacy. Fifth, we introduce the social network relay attacks. Sixth, we show how an attacker can permanently withhold a victim´s Facebook account after the first take over. Moreover, we propose solutions for each of these privacy leaks.