Recently, we have seen a rapid growth of social networking systems (SNSs). In most SNSs, a user can configure his privacy settings to indicate who can or cannot see his friend list. Usually, SNSs, such as LinkedIn and Google Plus, also include a feature that allows a user to query mutual friends between him and any other user he can reach using the available public search feature in SNSs. While such a mutual friend feature is very helpful in letting users find new friends and connect to them, in this paper, we show that it also raises significant privacy concerns as an adversary can use it to find out some or all of the victim's friends, although, as per the privacy settings of the victim, the adversary is not authorized to see his friend list directly. We show that by using mutual friend queries, an attacker can launch privacy attacks that we refer to as mutual-friend based attacks to identify friends and distant neighbors of targeted users. We analyze these attacks and identify various attack structures that an attacker can use to build attack strategies, using which an attacker can identify a user's friends and his distant neighbors. Through simulations, we demonstrate that mutual-friend based attacks are effective. For instance, one of the simulation results show that an attacker using just one attacker node can identify more than 60% of a user's friends.

• 出版日期2013-9