Facebook Privacy Loophole Cloaks Deactivated Friends, Allows Unexpected Creeping

By March 21, 2012

A research student at University College London, Shah Mahmood, and UCL’s Chair of Information Communication, Yvo Desmedt, have announced details of “a zero-day privacy fault” in Facebook at the IEEE International Workshop on Security and Social Networking conference in Switzerland on Monday.

They explain that the “Deactivated Friend Attack” works like this:

Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.

Mahmood and Desmedt say in the abstract of the paper they presented that “it is highly probable the attacker has indefinite access to the victims private information in a cloaked way.” The pair note a complicating factor, which is that Facebook users are not notified when their friends deactivate or reactivate their own accounts, which could lead to surprise snooping.

They revealed this vulnerability and its potential impact “by showing the ease of gaining trust of Facebook users and being befriended online.”  From a bogus account set up for the purposes of the 600 day experiment, Mahmood and Desmedt used targeted friend requests during the first 285 days, during which they sent out 595 friend requests. Of those, 370 were accepted. The dummy account received 3,969 friend requests, which the pair accepted.

Ultimately, the phony account accrued about 4,300 friends and maintained access to their Facebook profile information for at least 261 days, according to their paper. “No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims.”

Finally, they reactivated the account and left it idle for 60 days to see how many people unfriended them – 239 people unfriended, just over five percent of the total.

The most pernicious aspect of the Deactivated Friend Attack is that it’s hard to track and hard to prevent. Despite this, Mahmood and Desmedt suggest that fixing the problem should be fairly straightforward. They suggest a number of strategies Facebook could take to ameliorate the issue, including notifying users when their friends deactivate their accounts and flagging users who frequently deactivate and reactivate their accounts.

It’s uncertain whether Facebook will take action on this problem and whether Mahmood and Desmedt’s proposed fixes make sense for the social networking giant. For now, this vulnerability is tacked onto the long list of privacy issues with which Facebook must contend.

Facebook has not yet released a statement about Mahmood and Desmedt’s findings.