Exploiting Users' Inconsistent Preferences in Online Social Networks to Discover Private Friendship Links

In a social network system, a friendship relation between two users is usually represented by an undirected link and it is visible in both users' friend lists. Such a dual visibility of a friendship link may raise privacy threats. This is because both the users of a friendship link can separately control its visibility to other users and their preferences of sharing such a friendship link may not be consistent. Even if one of them conceals the friendship link from a third user, that third user may find the link through the other user's friend list. In addition, as most social network users allow their friends to see their friend lists, an adversary can exploit these inconsistent policies caused by users' conflicting preferences to identify and infer many of a targeted user's friends and even reconstruct the topology of an entire social network. In this paper, we propose, characterize and evaluate such an attack referred as the Friendship Identification and Inference (FII) attack. In an FII attack scenario, an adversary first accumulates the initial attack relevant information based on the friend lists visible to him in a social network. Then, he utilizes this information to identify and infer a target's friends using a random walk based approach. We formally define the attack and present the attack steps, the attack algorithm and various attack schemes. Our experimental results using three real social network datasets show that FII attacks are effective in inferring private friendship links of a target and predicting the topology of the social network. Currently, most popular social network systems, such as Facebook, LinkedIn and Foursquare, are susceptible to FII attacks.