An Online Social Network attack, dubbed ‘Chameleon,’ changes ‘liked’ posts, making it seem that users support certain politicians or even terror.
Researchers at Ben-Gurion University of the Negev (BGU) discovered inherent flaws in the programming of seven social network sites, enabling hackers to maliciously alter posts after a user “likes” or comments. Called Online Social Network (OSN) attack and dubbed “Chameleon,” this can lead to embarrassment or even incrimination of a user.
In their paper, “The Chameleon Attack: Manipulating Content Display in Online Social Media,” published on arXiv.org, the team, made up of Aviad Elyashar, Sagi Uziel, Abigail Paradise, and Rami Puzis from the Telekom Innovation Laboratories and Department of Software and Information Systems Engineering, described weaknesses within Facebook, Twitter, LinkedIn and other social media platforms that could lead to “detrimental and potentially criminal” activities.
The flaw allows posts to be edited and changed without the user’s knowledge. Redirect links are also susceptible to change. However, the “likes” and comments a post receives remain the same.
“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” Puzis said. “You log back on and find that indeed there’s a ‘like’ there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. US) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes.”
‘Concerning’ Responses from FB, Twitter
The team informed Facebook, Twitter and Linkedin of its findings. However, these huge social media outlets responses “were concerning, as far as protecting billions of platform users worldwide,” according to MItechnews.
“Facebook responded that the reported issue ‘appears to describe a phishing attack against Facebook users and infrastructure’ and that ‘such issues do not qualify under our bug bounty program.’”
“This behavior has been reported to us previously,” Twitter responded. “While it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.”
LinkedIn has been investigating the issue since December 14, 2019, after receiving further requested details from the research team, MItechnews reported.
“Adversaries can misuse Chameleon posts to launch multiple types of social network scams,” Puzis said. “First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks.
“They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator. Chameleon posts can also be used to unfairly collect social capital (posts, likes, links, etc.) by first disguising itself as popular content and then revealing its true self and retaining the collected interactions.”
Puzis warned, “This is an issue that requires solving, especially before the upcoming US election.”
The BGU team is presenting its paper in April at The Web Conference in Taipei, Taiwan.