Facebook fixes profile stalking loophole

Summary:Facebook says it has already fixed a new privacy loophole that allowed you to stalk someone's profile. The social networking giant said it responded to the issue within 48 hours.

Computer scientists from the University College London recently found a loophole in Facebook's privacy settings that allowed for ongoing profile stalking that is hard to spot and almost impossible to stop. The researchers took advantage of two flaws in Facebook's system: a) users can deactivate/reactivate their accounts in an unlimited way, and b) while an account is deactivated, the privacy settings associated with that account cannot be changed. Facebook has since fixed the issue.

"Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts," a Facebook spokesperson said in a statement. "We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports."

Facebook is, however, not pleased with the way it found out about this bug (the researchers published a paper regarding their findings). The social networking giant would have preferred to receive this information privately, not learn about it once it is already public.

"While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London," a Facebook spokesperson said in a statement. "We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site."

It's not clear what exactly Facebook changed to fix the problem. Here are the two suggestions I made in my previous article: " The company can either keep track of accounts belonging to users who deactivate and reactivate on a regular basis, or the social networking giant can simply allow you to change the privacy settings for your friends with deactivated their accounts."

I have asked Facebook for details and will update you if I hear back.

Update at 2:30 PM PST: Facebook users can now unfriend deactivated users, meaning deactivated accounts can't abuse the friendship connection.

See also:

Topics: Social Enterprise

About

Emil is a freelance journalist writing for CNET and ZDNet. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.