Facebook Tracking

Discuss the many weaknesses of browser security and ways to mitigate the threat

Facebook Tracking

Post by jgreen45 on Fri Nov 04, 2011 3:36 pm
([msg=62778]see Facebook Tracking[/msg])

Put down the ban hammer for now :P, I'm not about to ask how to h4ck into Facebook servers or trace IP addresses over command prompt. I am looking to verify an identity of an unknown individual who has been saying some rather childish things over Facebook. It is almost certain this individual is inside my school which I attend.

Long story short, I'm bored and I was thinking about how it could be possible to find the identity of this person. I disregarded some methods: trojans, router MAC address lookup (courtesy of our friend Google ;) ) and IP addresses as either illegal, unsuitable or just inaccurate.

While thinking about the problem I remembered this site http://panopticlick.eff.org/ and it got me thinking, what if I setup a website on a free web host and SE'd this person to click my link, I can then fingerprint his browser and, hopefully add a normal cookie and a flash cookie to his browser. Assuming he/she has a fake Facebook account it's likely they also have a legit account. I could then send out another link to my top suspects to my website that checks for the coookie/IP/Browser Fingerprinting I have planted and if they match I will have proof on who it is.

For my code I plan to make use of http://browserspy.dk/ if you want to hit it up. And if anyone else knew about something similar let me know.

I would like to know if you guys can improve upon this, I take it that if people visit my website more than once I could quickly loose track of who is connecting. Any ideas on stopping a double count? Unique cookie for each person? But that can still mean if enough people connect to my server I will still loose track of the identity of people.

Lastly how close is this to the legal line? Website routinely profile browsers over many pages, but would social engineering people to click my link via false representation be classed as illegal? If I am to attempt this I would like it to all be above board :)

TL;DR In case you didn't want to listen to my ramblings any ideas on how to improve browser fingerprinting accuracy in order to ascertain the identity of an unknown person inside a select group of people all who communicate over Facebook, and what legal lines should I consider?

I would rather not contact Facebook admins, I don't really care about what he has posted I just see this as a way to test out a theory on online privacy
I can't come to bed...
Someone is WRONG on the internet


http://xkcd.com/386/
User avatar
jgreen45
Poster
Poster
 
Posts: 106
Joined: Wed Feb 25, 2009 6:18 pm
Blog: View Blog (0)


Re: Facebook Tracking

Post by VPR3 on Fri Nov 04, 2011 4:43 pm
([msg=62779]see Re: Facebook Tracking[/msg])

I'm not facebook person, but I have ripped off images off facebook sites and indentified who people are and where they live using those images and that's worked well. Only thing that pops into my head at the moment is try the least invasive method first and escalate from there.
VPR3
Poster
Poster
 
Posts: 161
Joined: Fri Apr 22, 2011 11:35 am
Blog: View Blog (0)


Re: Facebook Tracking

Post by jgreen45 on Fri Nov 04, 2011 6:15 pm
([msg=62784]see Re: Facebook Tracking[/msg])

VPR3 wrote:I'm not facebook person, but I have ripped off images off facebook sites and indentified who people are and where they live using those images and that's worked well. Only thing that pops into my head at the moment is try the least invasive method first and escalate from there.


Tried this, his username is very generic and basically useless and his picture is just from google images, so no luck there. I'm more interested in trying to use browser fingerprinting and cookies and practicing some AJAX and PHP rather than finding his identity, although it would be nice to just walk up to him/her/cat and provide concrete proof about what he has done and watch the reaction.

I have secured some free web hosting and I am wondering what methods i should use, my sort of plan was to place a cookie on the unknown person's computer and then play hunt the cookie in the *computer* stack (poor attempt at computer humour here :)). Then sending messages to people one by one until i eventually get a match. Although i can quickly see that if i have sent the link to 4 people and then the unknown cookie appears, i still won't be any the wiser :/. Ideas?

Escalation you say? baseball bats, anyone? :twisted:
I can't come to bed...
Someone is WRONG on the internet


http://xkcd.com/386/
User avatar
jgreen45
Poster
Poster
 
Posts: 106
Joined: Wed Feb 25, 2009 6:18 pm
Blog: View Blog (0)


Re: Facebook Tracking

Post by LoGiCaL__ on Fri Nov 04, 2011 6:20 pm
([msg=62785]see Re: Facebook Tracking[/msg])

If you're using PHP and you have your own web host, it's not to hard to create logs of users ip. What you do after that is entirely up to you.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Facebook Tracking

Post by Defience on Fri Nov 04, 2011 9:41 pm
([msg=62790]see Re: Facebook Tracking[/msg])

The easiest thing of course would be to simply block him/her but that doesn't seem to be your goal. If their ip is what you're after, you can have them send you an email, which will contain it, or do like LoGiCaL__ suggested and log their ip using php. http://goo.gl/DTS4z
User avatar
Defience
Addict
Addict
 
Posts: 1277
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: Facebook Tracking

Post by jgreen45 on Sat Nov 05, 2011 10:26 am
([msg=62803]see Re: Facebook Tracking[/msg])

Defience wrote:The easiest thing of course would be to simply block him/her but that doesn't seem to be your goal. If their ip is what you're after, you can have them send you an email, which will contain it, or do like LoGiCaL__ suggested and log their ip using php. http://goo.gl/DTS4z


An IP would be useful, but i have no guarantee that it won't change later when I do my comparisons. I think cookies are the way to go and give each person a unique link so I can map who is who. If i write a test page would anyone here be interested in testing it out? I will leave a link to the log file for HTS members to look through and delete it if they so wish :).
I can't come to bed...
Someone is WRONG on the internet


http://xkcd.com/386/
User avatar
jgreen45
Poster
Poster
 
Posts: 106
Joined: Wed Feb 25, 2009 6:18 pm
Blog: View Blog (0)


Re: Facebook Tracking

Post by memoric on Sat Nov 05, 2011 1:23 pm
([msg=62804]see Re: Facebook Tracking[/msg])

Did I get you right? You are offering me a cookie? I'm in!
May the Force be with me...
Image
User avatar
memoric
New User
New User
 
Posts: 15
Joined: Mon Apr 14, 2008 9:47 am
Location: Pireas / Greece
Blog: View Blog (0)


Re: Facebook Tracking

Post by mShred on Sat Nov 05, 2011 6:05 pm
([msg=62815]see Re: Facebook Tracking[/msg])

This would work only if they didn't clear their cookies.. But with that, wouldn't you have to get them to visit your site twice? Once to plant an individual cookie, and then once to grab it and run the check on them?
Also, getting an IP would be easier. But like you said, you could easily lose track of the different people unless you're somehow splitting everything up.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1686
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Facebook Tracking

Post by LoGiCaL__ on Sat Nov 05, 2011 11:47 pm
([msg=62828]see Re: Facebook Tracking[/msg])

mShred wrote:This would work only if they didn't clear their cookies.. But with that, wouldn't you have to get them to visit your site twice? Once to plant an individual cookie, and then once to grab it and run the check on them?
Also, getting an IP would be easier. But like you said, you could easily lose track of the different people unless you're somehow splitting everything up.


Also, if you tend to have most ips that are the same and more keep getting added to the log, it may be that there is one user who has a bouncing ip addres. And I say this because you are obviously targeting a finite group of individuals, so you shouldn't constantly see brand new ips logged all the time, like its google or something. It sounds useless, but this could be used as recon to judge what kind of tactics this person is using. Really, it's just something else to add to this process that will weigh in on the final result.

-- Sat Nov 05, 2011 11:50 pm --

Post a link on your facebook and make it like it's your own personal facebook, it should draw your person in.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests