We’ve all been there: you desperately want to look at someone’s Facebook profile, but whatever you do, they won’t accept your friend request. Worry no longer, because with some trickery you can force anyone to be your friend.
Ars Technica reports how Brazilian researcher Nelson Novaes Neto set out to convince a tough target — a Web security expert he called “SecGirl” — to accept his friendship using social engineering. It worked, and he’s shared his secrets. So here’s how to go about it.
Step 1: Clone an account of someone your target trusts
The first step for Neto was to create a fraudulent Facebook account. He decided to assume the identity of his target’s manager, but there’s no reason it couldn’t just be any other person that your target respects. Once that’s set up, he sent the target a friend request from the copied account.
Step 2: Request friendship with friends of friends of the cloned user
Next, Neto sent friend requests to friends of friends of the target’s manager. That’s 4 degrees out from SecGirl. In total, he sent out 432 requests. In one hour, 24 of those requests were accepted.
Step 3: Move on to friending direct friends of the cloned user
The final step was for Neto to request friendship with direct friends of SecGirl’s manager. That’s friends 3 degrees out from SecGirl. By scouring LinkedIn, he found 436 friends to approach. Within an hour, 14 of them had accepted.
Within seven hours of starting the experiment, the cloned account’s friend request was granted by SecGirl just by conning people into vouching for it. That’s quick. And if a security expert falls for this kind of trick, confirming a friend request from someone she’s already friends with, then most other people will damn well fall for it.
While this sounds pretty fun, it exposes a security threat. Neto explains how, at this stage, it’s possible to take over a legitimate Facebook account using Facebook’s “Three Trusted Friends” password recovery feature. Well, it is if your repeat the process and get the target to accept friend requests from three accounts under your control at any rate. Neto told Ars Technica:
“People have simply ignored the threat posed by adding a profile without checking if this profile is true. Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility.”
You can keep up with Jamie Condliffe, the author of this post, on Twitter.