Why Allowing Profile Name Reuse Is A Bad Idea


Enrico Mariconti, Jeremiah Onaolapo, Syed Sharique Ahmad, Nicolas Nikiforou, Manuel Egele, Nick Nikiforakis, Gianluca Stringhini


Proceedings of the 9th European Workshop on System Security (EUROSEC), April 2016


Twitter allows their users to change profile name at their discretion. Unfortunately, this design decision can be used by attackers to effortlessly hijack user names of popular accounts. We call this practice profile name squatting. In this paper, we investigate this name squatting phenomenon, and show how this can be used to mount impersonation attacks and attract a larger number of victims to potentially malicious content. We observe that malicious users are already performing this attack on Twitter and measure its prevalence. We provide insights into the characteristics of such malicious users, and argue that these problems could be solved if the social network never released old user names for others to use.


  title     = {{Why Allowing Profile Name Reuse Is A Bad Idea}},
  author    = {Mariconti, Enrico and Onaolapo, Jeremiah and Ahmad, Syed Sharique and Nikiforou, Nicolas and Egele, Manuel and Nikiforakis, Nick and Stringhini, Gianluca},
  booktitle = {Proceedings of the 9th European Workshop on System Security},
  series    = {EUROSEC},
  month     = {April},
  year      = {2016},
  address   = {London},
  publisher = {ACM}