If there's any doubt how social networks have presented hackers with a wealth of social engineering tools, a Brazilian security researcher recently demonstrated how he could "friend" even allegedly more wary Facebook users in less than 24 hours. At the Silver Bullet security conference in São Paulo, UOLDiveo chief security officer Nelson Novaes Neto showed how he leveraged LinkedIn, Amazon, and Facebook to convince a target—a Web security expert he called "SecGirl" using social engineering.

Novaes created a fraudulent Facebook account, "cloning" the identity of the manager of the target. He then sent friend requests to friends of friends of the manager from the cloned account—sending out 432 requests. In just one hour, 24 of those requests were accepted, even though 96 percent of them already had the legitimate account of the manager in their contact list. He moved on to 436 direct friends of the manager, using his connections from LinkedIn—getting acceptances from 14 of them in an hour. Seven hours into the experiment, his cloned account's friend request was granted by SecGirl.

With the information obtained by friending someone, it's possible, Neto said, to then take over a legitimate Facebook account using Facebook's "Three Trusted Friends" password recovery feature. Through the password recovery tool, a hacker can change both the password and the contact e-mail address for an account. The hacker could then use that hacked account for social engineering attacks on other accounts.

In an interview with Brazil's UOL Noticias, Neto said, "People have simply ignored the threat posed by adding a profile without checking if this profile is true. Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility."

A Facebook spokesperson told Ars Technica by email that Neto's approach is a clear violation of the company's policies, and that Facebook encourages users to report any account they think may be using a false name. "When a person reports an account for this reason, we run an automated system against the reported account," the spokesperson said. "If the system determines that the account is suspicious, we show a notice to the account owner the next time he or she logs in warning the person that impersonating someone is a violation of Facebook's policies and may even be a violation of local law." The warning also requires the user to confirm his or her identity "through one of several methods, including registering and confirming a mobile phone number," the spokesperson said; if they fail to respond within a certain amount of time, the account is automatically disabled. Facebook's spokesperson also said that "Trusted Friend" system includes safeguards that lower the probability a recently friended person would be chosen as one of the friends used for password recovery.