14 DAY TRIAL // A security researcher has crawled Facebook's people directory to gather information on users who left their profiles publicly accessible. The data is available for download as a 2.8 GB torrent and can be used to enhance brute force hacking tools.
Facebook's public directory lists the names of people who allowed their profile to be searchable. However, privacy advocates have long argued that for the majority of users this is unintended, because it is the default setting on the social networking websites.
Ron Bowes, a security expert who formerly worked at Symantec, thought that such a huge list of names could be useful for creating username lists to be used by brute force account hacking tools. Brute force attacks are automated guessing games, which try authentication against a system with numerous username and password combinations.
Theoretically any list of names and common dictionary words would work as possible username and passwords lists. However, using real-life data significantly increases the chances of success of such attacks. Experienced brute force hackers maintain their own fine tuned lists compiled from data gathered from valuable sources.
And in this context, the data from Facebook's public directory can be very useful. With a custom-coded crawler Bowes managed to mine 171 million names, of which 100 million are unique. He then ran another script against this database to determine the most popular username combinations.
For example, based on an initial + last name pattern the top five most popular usernames are jsmith, generated 129369 times, ssmith, skhan, msmith and skumar. For a first name + last initial combination, the most common are johns, johnm, michaelm, michaels and davids. Of course, now anyone can download the whole list and generate whatever patterns their targets are most likely to use.
But, this Facebook directory data crawling effort has other implications as well. "Facebook helpfully informs you that '[a]nyone can opt out of appearing here by changing their Search privacy settings' -- but that doesn't help much anymore considering I already have them all," points out Bowes, on his blog, which was offline at the time of writing this article. "Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. [...] So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops," he also adds.
You can follow the editor on Twitter @lconstantin