Reporter investigating Facebook has his account hacked.. by me

Filed Under: Facebook, Privacy, Social networks

ITV Tonight logo
Last night, UK TV show "Tonight" broadcast a 30 minute documentary called "Facing up to Facebook".

As well as looking into some of the great things that Facebook can do (for instance, they told the story of how the family of a British man who had been critically injured while holidaying in Mexico had managed to find blood donors via the site), it also examined some of the problems with the site.

I popped up on the show too, because the researchers on the "ITV Tonight" programme contacted me in January asking if I could help discuss security and privacy issues on the website.

One of the things the production team wanted me to do, was see what I could uncover about presenter Jonathan Maitland, a self-confessed social-networking luddite.

First I tried to become Facebook friends with Maitland, sending him a friend request from my account using my own name. He ignored me.

Then, I went on LinkedIn - and discovered a company that Maitland was involved with, and a list of some of his fellow workers. I noticed that at least one of them (who had been recently promoted, so presumably was well-regarded) wasn't currently friends with Maitland on Facebook.

So, I created a fake Facebook account using that individual's name and using a picture I found on the net.

Sending a friend request from that fake user to Maitland resulted in success. We were now Facebook friends.

Jonathan Maitland has confirmed my friend request

For many identity thieves this would have been enough. It would have been possible to send a malicious link to my intended victim, contact his friends or scoop up personal information from my prey's profile. But Maitland, obviously savvy about the dangers, had answered all the person questions on Facebook in a jokey fashion (he claims to be over 100 years old, for instance) - so at least that was a silver lining.

Jonathan Maitland on Facebook, with fake personal information

And normally I would have left it at that. But I was curious as to what else I could find out about the TV journalist - as someone in the public eye it might be surprising what you could find out, right?

Well, one of the things I uncovered was a news story from April 2000, which mentions right at the end that Jonathan Maitland is a devoted supporter of Charlton Athletic Football Team.

Regular readers of the Clu-blog may have guessed what's coming next. Many people choose dumb passwords (name of a pet, favourite football team, etc) for their passwords - and the night before I was due to be filmed by the TV programme I was curious to see if entering "Charlton" as Maitland's password would give me access to Facebook...

The following day at Liverpool Street station the stage was set for filming. Without Maitland's knowledge, the TV crew had borrowed a large digital advertising billboard onto which were projected images of Maitland's Facebook profile, and photos of himself, his pet dog and band.

As these were projected behind us, I explained to Jonathan Maitland that not only had I managed to become Facebook friends with him, but I had also correctly guessed his Facebook password. If I had had malicious intent, I would have been able to abuse the situation by posting messages from his account to his Facebook friends (who included a British MP), trawling through his personal emails, and so forth..

ITV Tonight

The reporter was shocked at what I had been able to do, but afterwards gave his retrospective permission for me to access his account (without permission I would have been committing an offence under computer crime laws).

Fortunately all that the many commuters at the railway station saw on the digital screen were pictures of a middle-aged man in a pub band and images of his dog. But Maitland left with a dossier full of print outs of his private emails, and a strong reminder to change all of his online passwords.

The programme may not be the deepest investigation into Facebook privacy and security, but if you're interested you can view it via the ITV Player website for the next 30 days or so (I think this only works in the UK, sorry).

Hopefully it made some people wake up to the need to choose sensible passwords for their online accounts.

if you're a regular user of Facebook, be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.

, , , , , ,

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.