Facebook fixes profile stalking loophole

Facebook fixes profile stalking loophole

Summary: Facebook says it has already fixed a new privacy loophole that allowed you to stalk someone's profile. The social networking giant said it responded to the issue within 48 hours.


Computer scientists from the University College London recently found a loophole in Facebook's privacy settings that allowed for ongoing profile stalking that is hard to spot and almost impossible to stop. The researchers took advantage of two flaws in Facebook's system: a) users can deactivate/reactivate their accounts in an unlimited way, and b) while an account is deactivated, the privacy settings associated with that account cannot be changed. Facebook has since fixed the issue.

"Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts," a Facebook spokesperson said in a statement. "We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports."

Facebook is, however, not pleased with the way it found out about this bug (the researchers published a paper regarding their findings). The social networking giant would have preferred to receive this information privately, not learn about it once it is already public.

"While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London," a Facebook spokesperson said in a statement. "We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site."

It's not clear what exactly Facebook changed to fix the problem. Here are the two suggestions I made in my previous article: " The company can either keep track of accounts belonging to users who deactivate and reactivate on a regular basis, or the social networking giant can simply allow you to change the privacy settings for your friends with deactivated their accounts."

I have asked Facebook for details and will update you if I hear back.

Update at 2:30 PM PST: Facebook users can now unfriend deactivated users, meaning deactivated accounts can't abuse the friendship connection.

See also:

Topic: Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • In the future, having had a Facebook account...

    ...will be something like the regret one feels for having attended that drunk party years ago where clothing was optional, and the videos ended up on the internet.

    The best Facebook privacy option is not to have an account. Pretty simple really.
    Hatestone Johnson
  • Hey MccormickG Go push your spam somewhere else.

    If it was that good you would be making 20 grand a month yourself instead of pushing that garbage on us. P*ss off you jerk.
    Rick Sos