updated 3/22/2012 6:31:48 PM ET 2012-03-22T22:31:48

UPDATE: This story has been updated with a response from Facebook.

Forgotten Facebook friends who don't appear in your friends list could still be snooping on you from time to time, new research shows.

In their research paper, "Your Facebook Deactivated Friend or a Cloaked Spy?," University College London computer-science student Shah Mahmood and UCL's chair of information communication technology, Yvo Desmedt, highlighted what they called a "zero-day privacy loophole." It enables a person to deactivate his own account and then later, upon reactivating the account and shedding his privacy "cloak," to quickly view his friends' profiles before disappearing into the darkness again.

The loophole takes advantage of the lengthy and complicated process of getting rid of a Facebook account. The social network persuades many would-be exiles to take only the half-step of deactivating their accounts, in effect putting the accounts into hibernation instead of deleting them altogether.

The danger comes from the fact that many users are sloppy about whom they "friend" on Facebook. A large chunk of Facebook's 850 million active users will accept friend requests from people they barely know or have never met in person. Other recent research has shown that it's easy to impersonate an existing user and "friend" all his friends, even if the spoofed user already has those people in his friends list.

Deactivating doesn't mean you're off Facebook
"As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating" over and over, the research team explained. "This deactivated friend — i.e., the attacker — may later reactivate the account and crawl her victims' profiles for any updated information. Once the crawling has finished, the attacker will deactivate again."

The concept behind the exploit is akin to the cloaking method used in "Star Trek," the researchers said, "where Badass Blink or Jem'Hadar has to uncloak (be visible), even if only for a moment, to open fire."

When account holders deactivate their accounts, they "become invisible." They no longer appear on others' lists of friends, nor can others "unfriend" them. And, as the paper notes, "Facebook provides no notification about the activation or deactivation of friends to its users."

By reactivating their accounts, malicious Facebook users can snoop on their friends' profiles when it's convenient, and then immediately deactivate, leaving no trace.

Who can see you?
The loophole exploited by the "deactivation attack" becomes particularly worrisome if you consider who may be taking advantage of it.

Mahmood and Desmedt argued that this type of covert Facebook snooping would be "attractive" to marketers, background-checking agencies, governments, hackers, spammers, stalkers or criminals.

Because the perpetrator may only reactivate his account for a very brief period of time, the attack is also difficult to detect.

The researchers said the deactivation attack could be mitigated if Facebook notified users of their friends' deactivations and reactivations, or if it flagged accounts that frequently de- and reactivated.

UPDATE: In an email to SecurityNewsDaily today (March 22), a Facebook spokesperson said the company "quickly worked to resolve the issue, and we were able to deploy a modification to our UI within 48 hours of receiving these reports."

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments