Exploiting Privacy Policy Conflicts in Online Social Networks (CMU-CyLab-12-005)

Online Social Networks (OSNs) offer access control mechanisms to protect users’ sensitive information from undesired accesses. Yet, their information is still vulnerable to disclosure when their friends assign conflicting privacy policies: a user prohibits everyone from accessing his own content or profile but his friends allow others to see it. OSNs tend to select Permit-Take-Precedence when resolving multiple conflicting policies so that the information is possibly exposed regardless of the information owner’s preference. In this paper, we confirm that specific types of information in real OSN services are under this circumstance. We then propose three attacking scenarios that reveal the hidden friend-lists, profiles, and posted messages on users’ OSN accounts, exploiting a target’s sensitive information. We finally discuss possible countermeasures in terms of both implementation and human behavior.