Users of social media are sobering up about the dangers their security, especially in the form of cyberattacks. Now researchers at Ben-Gurion University of the Negev (BGU) in Beersheba add a new word of caution for the billions of users of Facebook, Twitter and LinkedIn.
That video or picture you “liked” on social media of a cute pet, your favorite sports team or political candidate can actually be altered in a cyberattack to something completely different, detrimental and potentially criminal, according to cybersecurity researchers at BGU who studied seven online platforms and identified similar serious weaknesses in the management of the posting systems. Although Twitter doesn’t permit changes to posts and, normally, Facebook and LinkedIn indicate that a post has been edited, this new attack overrides that.
“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed, and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” said Dr. Rami Puzis of the university’s department of software and information systems engineering. He and his BGU colleagues will present the Chameleon attack paper at The Web Conference in Taipei, Taiwan on April 20 to 24. “You log back on and find that indeed there’s a ‘like’ there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. US) from employers, friends, family or government enforcement unaware of this social media scam can wreak havoc in just minutes.”
In this new study, which they published on arXiv.org, the researchers explained how they penetrated individual profiles and groups in several experiments and how the Online Social Network (OSN) attack – dubbed “Chameleon” – can be launched.
The attack involves maliciously changing the way content is displayed publicly without any indication whatsoever that it was changed until you log back on and see it. The post still retains the same likes and comments. The picture and video of the image change every time you click on it or refresh the page within 30 to 60 seconds.“
Adversaries can misuse Chameleon posts to launch multiple types of social network scams. First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks,” Puzis suggested.
“They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator. Chameleon posts can also be used to unfairly collect social capital (such as posts, likes and links) by first disguising itself as popular content and then revealing its true self and retaining the collected interactions,” the researcher added.
Facebook and LinkedIn partially lessen the problem of modifications made to posts after they are published by displaying an indication that a post was edited. Other OSNs, such as Twitter or Instagram, do not allow published posts to be edited. Nevertheless, the major OSNs (Facebook, Twitter and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows for changing the way a post is displayed without any indication that the target content of the URLs has been changed.
In Chameleon, the attacker first collects information about the victim. The attacker creates Chameleon posts or profiles that contain the redirect links and attracts the victim’s attention to the Chameleon posts and profiles in a way similar to phishing attacks. The Chameleon content builds trust within the OSN, collects social capital and interacts with the victims.
This phase is very important for the success of targeted and untargeted Chameleon attacks. It is similar to a general cloaking attack on the Web, but the trust of users in the OSN lowers the attack barrier. BGU researchers have informed LinkedIn, Twitter and Facebook about the misuse they found; Facebook and Twitter run open bug-bounty programs, which often pay significant sums for disclosing vulnerabilities with the purpose of bettering their systems and eliminating system bugs and malfunctions.
LinkedIn has a closed team of good-guy hackers, but also accepts reports from outsiders without paying bounties. “Facebook responded that the reported issue ‘appears to describe a phishing attack against Facebook users and infrastructure’ and that ‘such issues do not qualify under our bug bounty program,’ ” added Puzis.
Twitter acknowledged the problem and stated in an email, “This behavior has been reported to us previously. While it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.” Twitter relies on URL blacklisting implemented within their URL shortener to identify potentially harmful links and “warn users if they are navigating to a known malicious UR.”
The LinkedIn support team were willing to investigate this issue. After receiving further requested details they started their investigation on December 14, 2019. “We are waiting for updates any day now,” Puzis said.
To reduce the risks, the BGU team recommends users and researchers immediately identify potential Chameleon profiles throughout the OSNs, as well as develop and incorporate redirect reputation mechanisms into machine learning methods for identifying social network misuse. They should also include the Chameleon attack in security awareness programs alongside phishing scams and related scams. “On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming U.S. election,” concluded Puzis.
