Facebook 'Stalker' Tool Uses Graph Search For Data Mining

angry tapir writes "Mining small details from Facebook has become even easier with Graph Search, the site's new search engine that returns personalized results from natural-language queries. Graph Search granularly mines Facebook's vast user data: where people have visited, what they like and if they share those same preferences with their friends. 'FBStalker' is a Python script debuted at the Hack in the Box security conference in Kuala Lumpur. In its current form, FBStalker runs in the Chrome browser on OS X, entering queries into Facebook's Graph Search and pulling data. Even if a person's profile is locked down to strangers, their friends' open profiles can be examined, giving an indication, for example, who the person may be close with. FBStalker uses Graph Search to find photos in which two people are tagged in, comments on profiles and more."

isn't this like the n:th bot for querying it?

[gl4ss]

I mean seriously how many times can you flog the subject.

Re:isn't this like the n:th bot for querying it?

Oh, if only FB were a dead horse.

Spear phishing

[schneidafunk]

So based on the article, the lesson learned is do not give your tech-novice wife a computer with your passwords on it.

Re:Spear phishing

[barlevg]

Probably should take computers away from your tech-novice parents, grandparents, children and cats as well (though why you gave your cat a computer in the first place is beyond me). The point of the article is not that spear phishing is new, it's that Graph Search makes it much easier to find a squishy target for your spear.

Re:Spear phishing

[schneidafunk]

Meh, this is a targeted attack on a "high-profile public figure". Google or his garbage would probably turn up the same result. Granted, it sounds like their approach was the easiest.

Re:Spear phishing

...cats as well (though why you gave your cat a computer in the first place is beyond me).

I know - because the keyboard is *the* place a cat likes to sit (especially if you're using it)!

Re:Spear phishing

So based on the article, the lesson learned is do not give your tech-novice wife a computer with your passwords on it.

The lesson is more like: do not give your tech-novice wife a smartphone.

Good luck with that!

Re:Spear phishing

[just_another_sean]

(though why you gave your cat a computer in the first place is beyond me)

Cause it's just so damn cute!

It's a trap!

[koan]

I've noticed one news site that only allows log in via "verified" Facebook accounts, if you really care about topics like privacy, security, then you would close your Facebook account.

Re:It's a trap!

[Registered+Coward+v2]

I've noticed one news site that only allows log in via "verified" Facebook accounts, if you really care about topics like privacy, security, then you would close your Facebook account.

Why? Attila T. Hun has always liked a bit of notoriety and FB just expands its reach.

Runs only in Chrome on OSX

It's python. Why can't it be written platform agnostic?

Re:Runs only in Chrome on OSX

It's python. Why can't it be written platform agnostic?

I'm sure it can. But it's always better to focus on one platform when trying to meet a deadline, especially for a demo at an international event.

Re:Runs only in Chrome on OSX

And it's hard to complain when the code is on github. Port away if you care enough.

Facebook != Privacy

Nothing is private on FB even if you lock everything down. And don't forget they create 'shadow profiles' on all users to gather personal information that you don't enter into FB (they know that you really meant to share that data with them but just forgot or were too busy).

Moving goalposts

Facebook privacy, indeed all internet privacy seems to be a moving goalpost...whenever the site wants to change it for whatever reason.

I know this, Slashdotters know this...but does little Timmy know that? 15 years from now what dirt will potential empoyers find on him? And the only real line of defense is his parents...who probably know less than Timmy.

The speed of tech progress and privacy knowledge are severely out of sync...and not in privacy's favor.

What if one has no FB ?

Can they gather information on someone who don't have and never had a FB account ?

Re:What if one has no FB ?

Yes it's called a shadow profile I believe. They collect information about you based on your friends posts and they store it for when you're finally ready to sign up for their great service! http://www.digitaltrends.com/social-media/what-exactly-is-a-facebook-shadow-profile/

Re:What if one has no FB ?

Is there a way to find out if you have shadow profile (and what it contains) without getting an account?

Re:What if one has no FB ?

Based on your link it seems that a shadow profile is some extra info FB stores for registered users.

Re:What if one has no FB ?

It's called "Discovery" and goes hand in hand with a Lawsuit and Lawyer against Facebook.

Re:What if one has no FB ?

[cjjjer]

Google also does this with your account profile information by scraping other social sites. I know this for a fact because other than my username I have never (nor had a reason to) view / edit my account profile. With the latest use your Google+ image / Name in ads uprising I checked out my account profile and was shocked that it had all the info from my LinkedIn profile as well info from my twitter account populated.

FYI: The only service I use from Google is mail and I have never used service interoperability between any social account and Google.

Re:What if one has no FB ?

I did not register Google+ either, only gmail and gdrive.

If I remember well, I had to optout of some new google feature, 3-4 years ago or so, related to what is g+ now.
Maybe you didn't.

Re:What if one has no FB ?

[gl4ss]

If I remember well, I had to optout of some new google feature, 3-4 years ago or so, related to what is g+ now.
Maybe you didn't.

google has pushed g+ a lot.

if you're not on g+, then there's a lot of ways you can join by one clicking by accident. iirc gtalk was turned into g+ too. if you have a youtube account then you're on g+ now("upgrade account" click).

if you're not seeing g+ spam on gdrive and gmail then you might want to check again if you already have a g+ account.

Re:What if one has no FB ?

If you're not seeing g+ spam on gdrive and gmail then you might want to check again if you already have a g+ account.

Well... when I select google+ on the applications shortcuts, from gmail screen, it tells me "join Google+ by creating your public profile" (my translation)
It's the first step to join g+, over three steps displayed on the left. Page title is "configure your profile".

So I hope I don't have a g+ account.

Re:What if one has no FB ?

[flimflammer]

if you have a youtube account then you're on g+ now("upgrade account" click).

Not me. I've been very proactive about avoiding G+ (not on privacy grounds primarily but because I have no interest in having pointless social network profiles floating around). My youtube account isn't associated with a G+ account at all.

Maybe it's because my Google account is essentially tied to their domain services and I have all G+ stuff disabled on their dashboard. Trying to go to G+ at all presents me with a nice "Google+ is not available for your organization" message.

Re:What if one has no FB ?

Linked In raids any accounts it can find on your device.

Has a friend posted a picture of you?

If any friends took a snapshot of you and tagged you with your name, you're in the Matrix.

yay

Fuck Facebook.

Just goes to show you

Facebook's "privacy controls" are nothing of the sort because they do not allow you control of your information when that information is found on other people's profiles. Kind of a microcosm of the government's third party doctrine if you ask me.

Re:Just goes to show you

they do not allow you control of your information when that information is found on other people's profiles

By definition, if it's on someone else's profile then it's not your information, even it if is about you. Go bitch at the person who put it up there if you have a problem with it.

Re:Just goes to show you

[gl4ss]

how could it? this isn't some world-wide-uk where everyone is celebs and have legal means to shutdown everyone talking about them.

if you don't want to be mentioned anywhere don't be friends with anyone. don't ever go anywhere.

even then though probably someone would talk about you as the creepy guy who never goes anywhere.

as to the presentation.. the guy could have saved everyones time and just linked to facebooks graph search pr.

a bit from the article that caught my eye

[way2trivial]

""It's basically not feasible for a human to go to the depths that FBStalker script does," he said."

Pfft-- I beg to differ...

Already said...

[just_another_sean]

Already said a million times or more but *this* is why I am not on Facebook.

Oh wait, I probably am and just don't know it thanks to my "friends". So I guess what I should have said is "this is why I hate Facebook"!

Re:Already said...

[isorox]

Already said a million times or more but *this* is why I am not on Facebook.

Oh wait, I probably am and just don't know it thanks to my "friends". So I guess what I should have said is "this is why I hate Facebook"!

Precisely, you're probably better being on facebook with a locked down profile that you never add, perhaps with some fake photos, than you are ignoring it completely.

Or you can go with the herd. In nature a lone deer is often killed, while the herd remains safe. Are you sure you're a wolf?

Re:Already said...

[antdude]

Yeah, that's scary. I registered for a brand new account. Facebook only has my e-mail address and name, but they already had connections to people I know. How the heck? I wished I could know more how it has connections to others. Did people name me? I asked people through other communication means, and they said no. WTF? With my fake accounts, I do not see anyone. It's scary! :(

Does the code even run?

For all this arguing... has anyone actually run this code? Indentation is all off and AttributeError's glaore.

'Module' object has no attribute 'adapters' line 32. Anyone getting this thing to run successfully?

How to run the script?

Anyone get this to run? No luck on MAC OS X 10.8.5 with Python 2.6......

creepy - A geolocation information aggregator

for Linux and Windows:

creepy - A geolocation information aggregator (Linux+Windows)

http://ilektrojohn.github.io/creepy/
http://ilektrojohn.github.io/creepy/faq.html

"creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation."

Features

Map providers available :

        Google Maps
        Virtual Maps
        Open Street Maps

Location information retieval from :

        Twitter's tweet location
                Coordinates when tweet was posted from mobile device
                Place (geographical name) derived from users ip when posting on twitter's web interface. Place gets translated into coordinates using geonames.com
                Bounding Box derived from users ip when posting on twitter's web interface.The less accurate source , a corner of the bounding box is selected randomly.
        Geolocation information accessible through image hosting services API
        EXIF tags from the photos posted.

Social networking platforms currently supported :

        Twitter
        Foursquare (only checkins that are posted to twitter)
        Gowalla (only checkins that are posted to twitter)

Image hosting services currently supported :

        flickr - information retrieved from API
        twitpic.com - information retrieved from API and photo exif tags
        yfrog.com - information retrieved from photo exif tags
        img.ly - information retrieved from photo exif tags
        plixi.com - information retrieved from photo exif tags
        twitrpix.com - information retrieved from photo exif tags
        foleext.com - information retrieved from photo exif tags
        shozu.com - information retrieved from photo exif tags
        pickhur.com - information retrieved from photo exif tags
        moby.to - information retrieved from API and photo exif tags
        twitsnaps.com - information retrieved from photo exif tags
        twitgoo.com - information retrieved from photo exif tags

Automatic caching of retrieved information in order to reduce API calls and the possibility of hiting limit rates.

GUI with navigateable map for better overview of the accumulated information

4 Maps providers (including Google Maps) to use.

Open locations in Google Maps in your browser

Export retrieved locations list as kmz (for Google Earth) or csv files.

Handling twitter authentication in an easy way using oAuth. User credentials are not shared with the application.

User/target search for twitter and flickr.