Ben-Gurion University Researchers Reveal New “Chameleon” Attack Can Secretly Modify Content on Facebook, Twitter or LinkedIn
BEER-SHEVA, ISRAEL, January 21, 2020 – That video or picture you “liked” on social media of a cute dog, your favorite team or political candidate can actually be altered in a cyberattack to something completely different, detrimental and potentially criminal, according to cybersecurity researchers at Ben-Gurion University of the Negev (BGU).
The researchers looked at seven online platforms and identified similar serious weaknesses in the management of the posting systems of Facebook, Twitter and LinkedIn. Twitter does not permit changes to posts and, normally, Facebook and LinkedIn indicate a post has been edited. But this new attack overrides that.
“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” says Dr. Rami Puzis, a researcher in the BGU Department of Software and Information Systems Engineering.
“You log back on and find that indeed there’s a ‘like’ there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. USA) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes.” See video of attack
In this new study, published on arXiv.org, the researchers explain how they penetrated individual profiles and groups in several experiments and how the Online Social Network (OSN) attack, dubbed “Chameleon,” can be executed. The attack involves maliciously changing the way content is displayed publicly without any indication whatsoever that it was changed until you log back on and see. The post still retains the same likes and comments.
“Adversaries can misuse Chameleon posts to launch multiple types of social network scams. First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks,” Dr. Puzis says.
“They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator. Chameleon posts can also be used to unfairly collect social capital (posts, likes, links, etc.) by first disguising itself as popular content and then revealing its true self and retaining the collected interactions.”
Facebook and LinkedIn partially mitigate the problem of modifications made to posts after their publication by displaying an indication that a post was edited. Other OSNs, such as Twitter or Instagram, do not allow published posts to be edited. Nevertheless, the major OSNs (Facebook, Twitter and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows for changing the way a post is displayed without any indication that the target content of the URLs has been changed.
In Chameleon, first the attacker collects information about the victim, an individual. The attacker creates Chameleon posts or profiles that contain the redirect links and attracts the victim’s attention to the Chameleon posts and profiles, in a manner similar to phishing attacks. The Chameleon content builds trust within the OSN, collects social capital and interacts with the victims. This phase is very important for the success of targeted and untargeted Chameleon attacks. It is similar to a general cloaking attack on the Web, but the trust of users in the OSN lowers the attack barrier.
BGU researchers have notified LinkedIn, Twitter and Facebook about the identified misuse. Facebook and Twitter run open bug-bounty programs, which often pay significant sums for disclosing vulnerabilities with the purpose of bettering their systems and eliminating system bugs and malfunctions. LinkedIn has a closed team of white-hat hackers, but also accepts reports from outsiders without paying bounties.
Despite this significant issue, with wide-ranging consequences in a well-targeted attack, the responses from all three social networks are concerning, as far as protecting billions of platform users worldwide.
“Facebook responded that the reported issue ‘appears to describe a phishing attack against Facebook users and infrastructure’ and that ‘such issues do not qualify under our bug bounty program.’
Twitter acknowledged the problem and stated in an email, “This behavior has been reported to us previously. While it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.” Twitter relies on URL blacklisting implemented within their URL shortener to identify potentially harmful links and “warn users if they are navigating to a known malicious URL.”
The LinkedIn support team were willing to investigate this issue. After receiving further requested details they started their investigation on Dec 14, 2019. “We are waiting for updates any day now,” Dr. Puzis says.
To mitigate these issues, the BGU team recommends practitioners and researchers immediately identify potential Chameleon profiles throughout the OSNs, as well as develop and incorporate redirect reputation mechanisms into machine learning methods for identifying social network misuse. They should also include the Chameleon attack in security awareness programs alongside phishing scams and related scams.
“On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming U.S. election,” says Dr. Puzis.
The BGU researchers will present the Chameleon attack paper at The Web Conference in Taipei, Taiwan on April 20-24.
Note: The Facebook demo will stop working when Facebook fixes the problem or, more likely, when the account that operates the demo is locked. In that case, a new demo will be provided.
The BGU researchers from the Department of Software and Information Systems Engineering who also participated in this study are: Aviad Elyashar, Sagi Uziel and Abigail Paradise.