Sunday, March 25, 2012

Invisible Facebook Friends Can See You, But You Can't See Them


Here's how Facebook is supposed to work: When you don't want to be someone's friend anymore, you unfriend them. Or, if you just want to keep certain things private, you can adjust their access settings. The ability to back out of a friendship is as vital online as it is off, which is why this is worrying: British security researchers Shah Mahmood and Yvo Desmedt have found a simple way to create un-unfriendable zombie accounts (via the Arxiv blog). Here's how it works:

1. Make a new account

Make a new account
Using an existing account works too, but the trick requires near-constant deactivation.

2. Add a bunch of friends

Add a bunch of friends
By day 285 of their experiment, the researchers had added 4339 friends to a fake account. These people didn't necessarily know that the account was fake, and may have mistaken its name for someone they knew. In any case, they voluntarily shared information with the owners of this account.

3. Deactivate the account

Deactivate the account
This will switch off, but not delete, your zombie account. Deactivated accounts no longer appear on other users' friend lists, and therefore can't be unfriended. Whatever the privacy settings were when they accepted your friend request are now permanently stuck.

4. Reactivate the account on demand

Reactivate the account on demand
All you need to do to reactivate an account is log back in. All your old friends will be restored. Your friends will receive no notification of this, though, which makes it easy to log in quickly, access their profiles, then quickly deactivate again. As far as your friends are concerned, you're still gone and can't see their profiles. In reality, you're still friends and can see everything. There is no limit to the number of times a Facebook account can be reactivated.
This is more of a privacy quirk than a full-on exploit, but it's easy to imagine how people could abuse it: a jealous or abusive ex could "close" his account but still keep tabs on his partner; someone could mass-friend then deactivate in an effort to gather information about a group of people; a fired employee could invisibly stick around his company's Facebook network.
In order to kill a zombie Facebook friend you have to be online at the same time, notice it's active, and destroy its brain unfriend it. The researchers calculated the probability of someone seeing one of these zombie accounts on his active friends list at about 3/130, so good luck with that