Forgotten Facebook friends could still be snooping on you

Forgotten Facebook friends who don't appear in your friends list could still be snooping on you from time to time, new research shows.

In their research paper, "Your Facebook Deactivated Friend or a Cloaked Spy?," UCL-CS student Shah Mahmood and Chair of Information Communication Technology Prof Yvo Desmedt have identified what they called a "zero-day privacy loophole." This enables a person to deactivate his own account and then later, upon reactivating the account and shedding his privacy "cloak," to quickly view his friends' profiles before disappearing into the darkness again.

The loophole takes advantage of the lengthy and complicated process of getting rid of a Facebook account. The social network persuades many would-be exiles to take only the half-step of deactivating their accounts, in effect putting the accounts into hibernation instead of deleting them altogether. The concept behind the exploit is akin to the cloaking method used in "Star Trek," the researchers said, "where Badass Blink or Jem'Hadar has to uncloak (be visible), even if only for a moment, to open fire."

When account holders deactivate their accounts, they "become invisible." They no longer appear on others' lists of friends, nor can others "unfriend" them. And, as the paper notes, "Facebook provides no notification about the activation or deactivation of friends to its users." By reactivating their accounts, malicious Facebook users can snoop on their friends' profiles when it's convenient, and then immediately deactivate, leaving no trace.

The loophole exploited by the "deactivation attack" becomes particularly worrisome if you consider who may be taking advantage of it. The researchers argued that this type of covert Facebook snooping would be "attractive" to marketers, background-checking agencies, governments, hackers, spammers, stalkers or criminals.

Because the perpetrator may only reactivate his account for a very brief period of time, the attack is also difficult to detect. The researchers said the deactivation attack could be mitigated if Facebook notified users of their friends' deactivations and reactivations, or if it flagged accounts that frequently de- and reactivated. Facebook did not respond to a request for comment.

www.theregister.co.uk/2012/03/20/facebook_deactivated_friend_zero_day/