Computer scientists Shah Mahmood and Yvo Desmedt at University College London recently found a loophole in Facebook's privacy settings allowing for ongoing profile stalking that is hard to spot and almost impossible to stop. The researchers took advantage of two flaws in Facebook's system: a) users can deactivate/reactivate their accounts in an unlimited way, and b) while an account is deactivated, the privacy settings associated with that account cannot be changed.
This means that if you accept a Facebook friend request from someone so that he or she can see your content, and he or she then deactivates his or her account, you cannot limit your privacy settings associated with that friend's account until it is reactivated. The only thing you can do is apply a global change to all your friends, or be online at the same time as when your new friend reactivates his or her account so you can change the privacy settings for him or her.
As such, Mahmood and Desmedt sent out friend requests to various Facebook users and when accepted, they would deactivate their accounts. They then reactivated for short periods of time, checked their friends' content, and immediately deactivated their accounts again.
More information about this attack can be found in the paper titled "Your Facebook Deactivated Friend or a Cloaked Spy" at Cornell University Library. Here's the abstract:
With over 750 million active users, Facebook is the most famous social networking website. One particular aspect of Facebook widely discussed in the news and heavily researched in academic circles is the privacy of its users. In this paper we introduce a zero day privacy loophole in Facebook. We call this the deactivated friend attack. The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way. We demonstrate the impact of the attack by showing the ease of gaining trust of Facebook users and being befriended online. With targeted friend requests we were able to add over 4300 users and maintain access to their Facebook profile information for at least 261 days. No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims. We also provide several solutions for the loophole, which range from mitigation to a permanent solution
Facebook can fix this issue in two ways. The company can either keep track of accounts belonging to users who deactivate and reactivate on a regular basis, or the social networking giant can simply allow you to change the privacy settings for your friends with deactivated their accounts.
I have contacted Facebook about the loophole and will update you if I hear back.
- Mark Zuckerberg: Facebook users eventually get over privacy anxiety
- Facebook CTO: most people have modified their privacy settings
- Facebook moves privacy controls inline, simplifies sharing
- Facebook settles with FTC over default privacy settings
- Facebook promises changes following Irish privacy audit
- EPIC vs Facebook: Privacy through obscurity
- 70% of Facebook users are comfortable with what they share