Put down the ban hammer for now
, I'm not about to ask how to h4ck into Facebook servers or trace IP addresses over command prompt. I am looking to verify an identity of an unknown individual who has been saying some rather childish things over Facebook. It is almost certain this individual is inside my school which I attend.
Long story short, I'm bored and I was thinking about how it could be possible to find the identity of this person. I disregarded some methods: trojans, router MAC address lookup (courtesy of our friend Google
) and IP addresses as either illegal, unsuitable or just inaccurate.
While thinking about the problem I remembered this site http://panopticlick.eff.org/
and it got me thinking, what if I setup a website on a free web host and SE'd this person to click my link, I can then fingerprint his browser and, hopefully add a normal cookie and a flash cookie to his browser. Assuming he/she has a fake Facebook account it's likely they also have a legit account. I could then send out another link to my top suspects to my website that checks for the coookie/IP/Browser Fingerprinting I have planted and if they match I will have proof on who it is.
For my code I plan to make use of http://browserspy.dk/
if you want to hit it up. And if anyone else knew about something similar let me know.
I would like to know if you guys can improve upon this, I take it that if people visit my website more than once I could quickly loose track of who is connecting. Any ideas on stopping a double count? Unique cookie for each person? But that can still mean if enough people connect to my server I will still loose track of the identity of people.
Lastly how close is this to the legal line? Website routinely profile browsers over many pages, but would social engineering people to click my link via false representation be classed as illegal? If I am to attempt this I would like it to all be above board
TL;DR In case you didn't want to listen to my ramblings any ideas on how to improve browser fingerprinting accuracy in order to ascertain the identity of an unknown person inside a select group of people all who communicate over Facebook, and what legal lines should I consider?
I would rather not contact Facebook admins, I don't really care about what he has posted I just see this as a way to test out a theory on online privacy