Location-based social networks (LBSNs) feature friend discovery by location proximity that has attracted hundreds of millions of users world-wide. While leading LBSN providers claim the well-protection of their users'location privacy, for the first time we show through real world attacks that these claims do not hold. In our identified attacks, a malicious individual with the capability of no more than a regular LBSN user can easily break most LBSNs by manipulating location information fed to LBSN client apps and running them as location oracles. We further develop an automated user location tracking system and test it on leading LBSNs including Wechat, Skout and Momo. We demonstrate its effectiveness and efficiency via a 3 week real-world experiment on 30 volunteers and show that we could geo-locate any target with high accuracy and readily recover his/her top 5 locations. Finally, we also develop a framework that explores a grid reference system and location classifications to mitigate the at-tacks. Our result serves as a critical security reminder of the current LBSNs pertaining to a vast number of users.

• 出版日期2014
• 单位The State University of New York at Buffalo; 上海交通大学; State University of New York at buffalo