A pair of researchers from the University College London – Shah Mahmood (student) and Yvo Desmedt, Chair of Information Communication Technology, have discovered and revealed a “zero day privacy loophole” in Facebook. The duo has named the loophole as “Deactivated Friend Attack”, and revealed details about it yesterday during the IEEE International Workshop on Security and Social Networking SESOC 2012, held at Lugano, Switzerland.
According to the pair, “Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.”
This particular attack is simple enough and easy to execute, however, the main challenge the attacker faces is to trick the user into accepting the attacker as a “friend”. However, once the attacker has achieved this task, he can deactivate the user’s account and also make it impossible for the user to remove him from his friend list.
Once the attacker can activate/deactivate the user’s account, he can also access the information contained in the victim’s account. According to the researchers, the attackers have some sort of back entry into the victim’s account and can access the account any time he wants.
“No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions,” the researcher said during the workshop. The “deactivate friend attack” works well, since Facebook does not allows users to keep a count on how many time a user’s account was deactivated and activated. It also does not send any notification to the user’s friend about the deactivation of the account.
To demonstrate how this works, Mahmood and Desmedt made 4,300 Facebook friends and maintained access to their profiles for a period of 261 days. Because most of the time their test account was deactivated, none of the 4,300 individuals was able to unfriend them. The short de-cloaking sessions were enough to get updates about the victims.
Currently, there has been no resolution on this yet, but we expect that Facebook will look into this matter and come up with a feasible solution. Meantime, it is advised that you do not add any unknown person to your friend list. Also, make sure you approve trusted Facebook apps that seek permission to access your publicly available information.