Security experts have demonstrated Facebook Pwn, a Java tool which uses social engineering to obtain personal details of Facebook users that are not publicly accessible.

The tool starts out by setting up a fake account which attempts to befriend all of the target's contacts. The attacker picks out one of the victim's friends whose identity he can adopt and the tool steals this friend's name and profile picture for the fake account. The tool then uses the fake account to submit a friend request to the target – the target is confronted with a familiar name, a copy of their friend's photo and a list of mutual friends.

If the friend request is accepted, the tool downloads the victim's personal data and photographs so that even if the victim detects and unfriends the fake account, the attacker can still peruse these at their leisure. The information obtained can be used for other targeted attacks (spear phishing) or stalking.

The GPL3-licensed "proof of concept" code is available from the project's site on Google code and the associated wiki has details on how to create new modules for the application.

(ehe)