How to Create Mass Hysteria on a College Campus Using Facebook

by alleyrat

As we college students know, Facebook has become a popular venue to voice opinions and gather a following.

Events, groups, fan pages, and causes now plague a site that was once renowned for its clean interface and lack of spam.  Everyone wants to throw the next raging party, petition for political change, or get everyone to become a fan of "peeing with the door open."  What's popular on Facebook is now the obvious choice for dorm room small talk.

I attend the University of California, San Diego.

One day, I decided to investigate the "Find People" function on UCSD's homepage.  This search function allows you to type in an undergraduate's name, and it will return their school issued .edu email address, physical address, and occasionally their cell phone number.

Now, you'd think that this search would only match exact full names, such as "Blake Thomas," in the event that you needed to contact Blake Thomas for some reason.

However, if you search for just "Blake," it returns the information for every undergraduate student named Blake.

Now obviously I saw some potential for abuse here, so I downloaded a list of common Asian, Caucasian, and Indian names and ran a dictionary attack against the search.  There were no preventative measures in place, and I was able to harvest 14,000 emails, 13,000 physical addresses, and over 7,000 cell phone numbers for students on campus.  Every school in the University of California system has this same vulnerability, as far as I know.

I then wrote a simple script that would shuffle those 14,000 emails randomly, and spit back 500.

This is Facebook's maximum for an email contact import through a CSV file.  Fake email accounts were created on Gmail and Yahoo! Mail, and fake accounts were made on Facebook.

The two most crucial aspects of a fake profile are that it must be a woman (women won't friend unknown males, but males will friend unknown women) and that it must have an inviting, innocent picture.  Generic photos were obtained that were not direct face shots, but rather had some distance to them.  It's easy to find stuff that fits the overall campus climate and apply them.  Each account was also given some fake interests, political orientations, etc. and the wall and chat features of Facebook were disabled.

Once a bunch of profiles were made, I imported a randomized CSV list of .edu emails into each.

Facebook matched profiles for roughly 300 of the emails imported, and friend requests were blasted out en masse for each profile.

Within 24 hours each account had 150-200 friends.  UCSD is a relatively prestigious school, and I am baffled by how successful this technique was and how little people know about the workings of the Internet and, in particular, spam (Internet license anyone?).  Many people would send me a private message with "Do I know you?" I just ignored all of them.

So, obviously, I was waiting for the time to use these accounts to further a political point.  I had at my fingertips that ability to make an issue on campus out of anything by mass inviting random students to some group or event.  The perfect opportunity presented itself, as some of you may know.  A few frat guys threw a racial party and one controversial campus newspaper, The Koala, dropped the nigger-bomb on student run television, making national news.

UCSD's socially dead climate went into an uproar as the racist Black Students Union put forth six pages of demands to the administration.

My bots chimed in on the matter, and they ultimately affected the opinions of a couple thousand students on campus.  Was this hard to do?  No   Was it smart?  Yes.

The potential for abuse through the aforementioned process is ridiculous.  In certain situations, you could probably start a riot.  It would be best if Facebook fixed this gaping hole but, until then, have fun.  ;D

Disclaimer:  I'm not responsible for anything you do with this article, or any ruckus you attempt to cause or do cause.