I read about Formspring in the New York Times, which described the site as a “fast-growing social network that lets people ask each other personal questions and then has others answer them.” Doesn’t this sound like a goldmine of information for attackers? Having briefly toured the Formspring site, I’ve come to appreciate the changing norms of Internet privacy and confirmed that we’re headed for troubled waters.
Teens and Privacy on the Internet
What personal details are considered private on the Internet is rapidly changing. We increasingly reveal information about our jobs, families and interests on social networking sites, photo galleries, blogs, and so on. This means that on-line scammers have an increasing wealth of information to use for social engineering and password-reset attacks.
The group that’s truly influencing societal norms regarding privacy on the Internet is teenagers. They are using various public forums to exchange uncensored free-form banter without considering the long-term repercussions of having their conversations archived and searchable forever. As these teens grow up and take on professional personae, more personal information will be available about them than about the current generations of professionals on the web.
Formspring’s Questions and Answers
Unlike professionally-focused Q&A sites, such as Quora, Formspring encourages its users to ask and answer deeply personal questions. When a new user signs up, he is presented with a list of questions to “seed” his profile, such as:
- Who’s the most overrated musician?
- What video game have you played the most?
- What’s the furthest you’ve ever traveled?
By default, the answers the person provides are public. The user can change the privacy settings, but I suspect many people don’t even think about this.
Formspring users can search the site for other people using the “Find Friends” feature, which supports searching by username, email and name.
According to The New York Times, “20 million people have signed up for the site and nearly two billion answers to questions have been posted through the Web site.” As far as I could tell by randomly sampling a few public profiles and reading the Q&A streams, many—if not most—of the users are teens.
How Formspring Data Could Be Misused
An attacker can use the “Find Friends” feature to locate profiles of targeted individuals, or might create a script to mine data in bulk. Furthermore, the attacker doesn’t need to be a registered Formspring user to view public profiles, if he knows the victim’s Formspring username.
The collected details could be used to target people using social engineering techniques. Moreover, many of the questions answered by users of Formspring are similar to those used for resetting forgotten passwords. Here are a few examples from various public profiles:
Implications for Information Security
When designing security systems, we are making assumptions regarding personal details and related data that is only known to the user. For instance, many applications provide a secondary login mechanism by asking the person for “private” details, such as his favorite color, flower or restaurant. However, privacy norms are changing rapidly. What was once private will soon be public. We need to anticipate this change and adjust our security mechanisms in anticipation of the increased transparency of people’s once-personal information.
If you found this useful, take a look at my other posts related to social networking