back to article Facebook 'cloaking' flaw allows unexpected snooping

University College London research student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt have told a conference of what they call a “zero day privacy loophole” in Facebook. Details of the loophole, which the pair name “Deactivated Friend Attack” was presented at the IEEE International Workshop on …

COMMENTS

This topic is closed for new posts.
  1. Spud2go
    Big Brother

    Cloaking?!

    for some reason, I keep thinking of that song "Star Trekking"

    "We come in peace, shoot to kill..."

    On a more serious (& cynical) note, I have my reservations as to this being a programming/execution error, given Faceplants track record with privacy.

  2. Kanhef

    Another solution

    When an account is deactivated, remove it from other people's 'friend' lists, and remove everyone from their own 'friend' list. That eliminates this technique entirely, far more effective than some warning that most people will ignore. Even if users are aware of what's happening, it doesn't matter much if they still can't 'unfriend' the account in question.

    Of course, this requires Facebook to delete information, so it will never happen.

  3. Tzael

    Barely a flaw, maybe a tiny crack?

    Flaw? This is a bonefide feature of StalkerVille!

    Seriously though, this is hardly some major exploit, hack, or even a flaw. If people add complete strangers to their friends list then that's their own choice, and those strangers have access to everythinng that any other friend has access to. Unless you're fussy about privacy settings on Facebook, in which case you'd be very unlikely to add a stranger in the first place!

    1. Anonymous Coward
      Thumb Up

      StalkerVille

      This is the first time I have seen Farcebook being referred to as Stalkkerville, superbly apt!

      1. LaeMing
        Trollface

        Re: StalkerVille

        Facebook started offering as a friend a largely empty account. It had no friends in common (or friends at all) or a photo, but did have my ex's name. I assume it decided this account was spending so much time looking at my page that it must be a 'friend'. Hope he enjoyed my rather bland wasteland of a FB page.

  4. Pen-y-gors

    Works as intended

    Face it, the whole of Stalkerbook is a 'zero day privacy lophole'.

  5. Jason Togneri
    FAIL

    The fix, say I...

    I can't believe nobody's thought of this, but... why not just *not* have all your sensitive and private information on Facebook in the first place?

    Additionally, don't add random strangers to your friends list. This doesn't bypass the issue of malicious friends, but in that case, you'd best start re-evaluating your life. With friends like that, etc.

    1. Richard 81

      Alert

      Alert, Jason Togneri. You have been deemed a danger to the integrity of the hive mind. Remain where you are and await an enforcement node that will escort you to the nearest rehabilitation centre for evaluation and treatment. If treatment is unsuccessful you will be permanently disconnected from the hive and terminated.

      Thank you.

  6. Anonymous Coward
    Anonymous Coward

    Seems to me an easy fix...

    ...the users don't need to be notified or anything, all that needs to happen is that FB still show deactivated users in the friends list, so that people can remove their access if they want to. The deactivation feature is more likely to be used by people who want to go on hiatus or genuinely leave FB than for this (marginally useful) purpose.

    Don't see why it's a big thing - as a couple of people have already mentioned, it's not like you haven't already explicitly given access to this "person" to your information.

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems to me an easy fix...

      Completely agree, that definitely sounds like the easiest option to me, and of course it also gives those of us who have various restricted access groups setup the option to either move someone into a more restrictive group in case they do reappear, or simply remove them entirely.

      Hardly seems like a major issue to me though, oh no, someone reactivating their account has the same restricted view to my account that they did before, boo hoo. Oh wait, perhaps that's because I don't friend everyone in sight, I don't accept requests from people I don't actually know, and only a select few people who I know really well get unfettered access to my account, the rest get a more restricted view. Nah that can't be it, we're all doomed, the world is about to end, etc etc etc...

  7. g e

    Ummmm

    Maybe only add _friends_ to you friends list then.

    If you add ForeignSlut57 Won Hung Dong and Debbie 'T-V Ejaculatrix' Jones you really deserve everything you get. Facebook, shite as it is, is at least Darwinian in that respect...

    1. Robert Carnegie Silver badge

      What about impersonation?

      Someone pretends to be somebody who is a friend of yours, but they're actually someone else. An enemy.

      Maybe you don't think that normal people have enemies? But cases have been mentioned already, e.g. ex-wife.

      And because you thought it was a friend, you've friended them.

      Whatever that means to you young people. It sounds dirty.

  8. Eddie Edwards

    Unfriend finder

    Unfriend finder tells you when people deactivate and reactivate their accounts. I'm not sure why those features haven't been rolled into the main site, to be honest.

  9. David Gosnell

    What's new?

    This is self-evident, and I "researched" it several years ago... Can I have some grant money please?

  10. Robert Carnegie Silver badge

    Did they raise it with Facebook before telling the rest of the world about it? (Obvious or not)

    If it's not obvious then they cou ld patent it...

  11. Anonymous Coward
    Anonymous Coward

    Well d'uh

    I think a lot of us realised this about 2 years ago! I have an old friend that was doing it to me and spying on me for my ex-gf :s Fortunately I knew her email address so added her to my block list that way

  12. Wize

    It needs either a minimum period between switches between active and inactive (say a week) to prevent the stealthyness, or just clear friend list with a reconnect option to re-send friend requests on activation.

  13. BoxedSet
    FAIL

    Another security flaw to add to the pile of previous ones found in Farcebook.... step ladder anyone, I can't reach the top!

  14. SpaMster
    FAIL

    Where is the flaw in this exactly?

    Not really a security flaw is it. It's like somebody putting your number in their phone, and then expecting your number to be automatically deleted off their phone when your phone gets deactivated. It just dosnt happen

  15. Old Handle
    Paris Hilton

    Yes it's a security problem

    I think some people are missing why this could be a legitimate problem even if you're not dumb enough to just friend random people. Actually, if you are that dumb it probably won't bother you are all.

    Lets look at this in comparison to some more traditional security systems. Telling someone a password, issuing a digital certificate and friending. What do they all have in common? They indicate trust. They do not however indicate eternal trust. Passwords can be changed, certificates can be revoked, and friends can be unfriended... or that's how it was supposed to work.

    See why it's a problem now?

  16. dssf

    want want want

    Employer has your:

    Name

    Address

    Mailing address

    Home and mobile numbers

    SSN or National ID Number

    Drivers license or ID number

    Passport number

    Vehicle plates

    Family names

    Medical history

    Insurance risk info

    References

    Credit reports

    ......

    And now, not just a mere list of your social profiles and a privileged guest account, but also your password.

This topic is closed for new posts.

Other stories you might like