Facebook Graph Search may be a social engineering nightmare

Facebook's new search engine serves up the kind of data that cyber scammers love

Facebook's newly unveiled Graph Search search engine is an intriguing marriage of social networking and big data, creating opportunities for people to easily connect with prospective business partners, customers, friends, dates, and so on. At the same time, it's tough to ignore that Graph Search could be used as an on-tap source of social engineering data, which cyber scammers and malicious hackers could use and abuse in any number of ways.

If you missed Facebook's big announcement about Graph Search, it's basically a Facebook search engine with which you can track down Facebook users who meet particular criteria (say, people who live in Chicago and are software developers). You can also search for pictures or businesses that meet particular criteria (such as "pictures of my friends at Disneyland" or "attorneys that my friends recommend.")

Social engineering entails using personal details about a victim (where they work, where they went to school, who they're married to, what their interests are) to gain trust so that you can scam them, hack them, or otherwise take advantage. Hacking competitions in recent years have added social engineering events as the tactic has gained in popularity.

Graph Search appears to be well suited for serving up the very data that scammer might use to dupe a target. Though Graph Search not yet available to users, Facebook is offering a glimpse of what it search might yield. Based simply on the outcome of a sample search, I could see how the tool could be used to quickly gather enough personal data about fellow Facebook users to successfully launch social-engineering-style attacks.

For my sample search, I logged in with a bogus Facebook account I created long ago when I was interested in playing admittedly insipid Facebook games -- the ones that require you to have as many Facebook friends as possible in order to advance. I have around 445 friends on this account; I know there are other Facebook game-players with more -- as well as an underground market for such accounts.

I clicked the sample Graph Search search button, and it looked up "people who live in my city." In this case, the city was New York, New York, per my account settings. The search results included a list of 12 people, none of whom I know in real life. As far as I can tell, they are all either Facebook friends or friends of friends. To me, they're all strangers on the Internet.

Accompanying the dozen search results are the users' names and a profile picture, along with such data as where they live, how old they are, where they work or attend school, whether they are in a relationship, what sort of music they like, what interests they have, and the Facebook friends we have in common. All of that data could be used for social-engineering-style chicanery.

Facebook Graph Search may be a social engineering nightmare

Bear in mind, too, that this is a sample search, and I didn't even get to choose the criteria. As Facebook describes Graph Search, you'll be able to perform far more granular searches (searches for pictures with select people or searches for businesses your friends recommend), which can be useful but can also be wielded for potentially more pointed attacks.

Facebook has stressed that the data that shows up in the Graph Search searches is data users have chosen to make public. But keep in mind: A lot of clueless, ignorant, and/or overly trusting users out there don't necessarily know how to protect themselves online, not even in a sandbox like Facebook where security controls aren't that hard to find.

Here's what Facebook had to say about Graph Search and privacy:

When you share something on Facebook, you get to decide exactly who can see that content. This, of course, is why Graph Search is such a powerful experience: A lot of what you will find is content that is not public, but content that someone has shared with a limited audience that happens to include you....

One challenge in particular is worth calling out. Consider the relatively simple Graph Search query, "Photos of Facebook employees." For starters, we make sure that only photos that the owner has shared with the person conducting the search can be seen on the photo results page. But we have also to make sure that each photo features at least one person who has shared with the searcher that they work at Facebook! Otherwise we would implicitly be revealing content that the searcher does not have access to.

Although it's nice to know that Facebook is aware of the security challenge, one has to wonder whether the company will be able to maintain a handle on keeping private data private with so much data and so many "privacy checks" running in the background.

Graph Search is slated for release this summer, with beta testing opening up to select users in the interim. Time will tell whether privacy and security concerns are warranted.

This story, "Facebook Graph Search may be a social engineering nightmare," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.