Did You Really “Like” That?
January 23, 2020
ZDNet — A new paper, “The Chameleon Attack: Manipulating Content Display in Online Social Media,” has been published by academics from the Ben-Gurion University of the Negev (BGU), which suggests inherent flaws in social networks could give rise to a form of “Chameleon” attack.
The team, made up of Aviad Elyashar, Sagi Uziel, Abigail Paradise, and Dr. Rami Puzis of BGU’s Department of Software and Information Systems Engineering and Cyber Security Research Center, says that weaknesses in how posting systems are used on social media platforms can be exploited to tamper with user activity in a way that could be “completely different, detrimental and potentially criminal.”
“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” says Dr. Rami Puzis. “You log back on and find that indeed there’s a ‘like’ there.”
According to the research, the design flaw — rather than a security vulnerability, it should be noted — means that content including posts can be edited and changed without users that may have liked or commented being made aware of any shifts.
Content containing redirect links, too, shortened for the purposes of brand management and to account for word count restrictions, may be susceptible and changed without notice.
During experiments, the researchers used the Chameleon method to change publicly-posted videos on Facebook. Comments and like counts stayed the same, but there is no indication of alterations made available to anyone who previously interacted with the content.
In a hypothetical attack scenario, the researchers say that a target could be selected and reconnaissance across a social network performed. Acceptable posts and links could then be created to build trust with an unaware victim — or group — before the switch is made via a Chameleon attack, quickly altering the target’s viewable likes and comments to relate to other content.
“First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks,” Puzis says. “They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator.”
Scams come to mind first, but in a world where propaganda, fake news, and troll farming runs rampant across social networks — the alleged interference of Russia in the previous U.S. election being a prime example — as well as the close ties between our physical and digital identities, these design weaknesses may have serious ramifications for users.
“On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming U.S. election,” Dr. Puzis adds.
When contacted by the team, Facebook dismissed any concerns, labeling the issue as a phishing attack and therefore “such issues do not qualify under our bug bounty program.”
Both Facebook and LinkedIn, however, have partial mitigation in place as an icon is set when content is edited post-publication.
Twitter said the behavior was reported to the microblogging platform in the past, saying “while it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.”
WhatsApp and Instagram are not generally susceptible to these attacks, whereas Reddit and Flickr may be.
The research will be presented in April at The Web Conference in Taipei, Taiwan.