Computer scientists from the University College London recently found a loophole in Facebook's privacy settings that allowed for ongoing profile stalking that is hard to spot and almost impossible to stop. The researchers took advantage of two flaws in Facebook's system: a) users can deactivate/reactivate their accounts in an unlimited way, and b) while an account is deactivated, the privacy settings associated with that account cannot be changed. Facebook has since fixed the issue.
"Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts," a Facebook spokesperson said in a statement. "We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports."
Facebook is, however, not pleased with the way it found out about this bug (the researchers published a paper regarding their findings). The social networking giant would have preferred to receive this information privately, not learn about it once it is already public.
"While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London," a Facebook spokesperson said in a statement. "We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site."
It's not clear what exactly Facebook changed to fix the problem. Here are the two suggestions I made in my previous article: " The company can either keep track of accounts belonging to users who deactivate and reactivate on a regular basis, or the social networking giant can simply allow you to change the privacy settings for your friends with deactivated their accounts."
I have asked Facebook for details and will update you if I hear back.
Update at 2:30 PM PST: Facebook users can now unfriend deactivated users, meaning deactivated accounts can't abuse the friendship connection.
- Mark Zuckerberg: Facebook users eventually get over privacy anxiety
- Facebook CTO: most people have modified their privacy settings
- Facebook moves privacy controls inline, simplifies sharing
- Facebook settles with FTC over default privacy settings
- Facebook promises changes following Irish privacy audit
- EPIC vs Facebook: Privacy through obscurity
- 70% of Facebook users are comfortable with what they share