Did you really 'like' that? How Chameleon attacks spring in Facebook, Twitter, LinkedIn

Social networks impacted seem to disagree on the scope of the attack.

Social networks are full to the brim with our photos, posts, comments, and likes -- the latter of which may be abused by attackers for the purposes of incrimination. 

A new paper, titled "The Chameleon Attack: Manipulating Content Display in Online Social Media," has been published by academics from the Ben-Gurion University of the Negev (BGU), Israel, which suggests inherent flaws in social networks could give rise to a form of "Chameleon" attack. 

The team, made up of Aviad Elyashar, Sagi Uziel, Abigail Paradise, and Rami Puzis from the Telekom Innovation Laboratories and Department of Software and Information Systems Engineering, says that weaknesses in how posting systems are used on Facebook, Twitter and LinkedIn as well as other social media platforms, can be exploited to tamper with user activity in a way that could be "completely different, detrimental and potentially criminal."

According to the research, published on arXiv.org, an interesting design flaw -- rather than a security vulnerability, it should be noted -- means that content including posts can be edited and changed without users that may have liked or commented being made aware of any shifts. 

Content containing redirect links, too, shortened for the purposes of brand management and to account for word count restrictions, may be susceptible and changed without notice. 

During experiments, the researchers used the Chameleon method to change publicly-posted videos on Facebook. Comments and like counts stayed the same, but there is no indication of alterations made available to anyone who previously interacted with the content. 

See also: P&N Bank discloses data breach, customer account information, balances exposed

"Imagine watching and 'liking' a cute kitty video in your Facebook feed and a day later a friend calls to find out why you 'liked' a video of an ISIS execution," says Dr. Rami Puzis, a researcher in the BGU Department of Software and Information Systems Engineering. "You log back on and find that indeed there's a 'like' there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. US) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes."  

Scams come to mind first, but in a world where propaganda, fake news, and troll farming runs rampant across social networks -- the alleged interference of Russia in the previous US election being a prime example -- as well as the close ties between our physical and digital identities, these design weaknesses may have serious ramifications for users. 

CNET: NordVPN review: Still the best value for security and speed

In a hypothetical attack scenario, the researchers say that a target could be selected and reconnaissance across a social network performed. Acceptable posts and links could then be created to "build trust" with an unaware victim -- or group -- before the switch is made via a Chameleon attack, quickly altering the target's viewable likes and comments to relate to other content. 

"First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks," Puzis says. "They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator."

When contacted by the team, Facebook dismissed any concerns, labeling the issue as a phishing attack and therefore "such issues do not qualify under our bug bounty program."

The LinkedIn team has begun an investigation. 

Both Facebook and LinkedIn, however, have partial mitigation in place as an icon is set when content is edited post-publication.

TechRepublic: Why baby boomers are looking to IoT and analytics to stay safe

Twitter said the behavior was reported to the microblogging platform in the past, saying "while it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning."

WhatsApp and Instagram are not generally susceptible to these attacks, whereas Reddit and Flickr may be.

"On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming US election," Puzis says. 
 
The research will be presented in April at The Web Conference in Taipei, Taiwan. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0