Be careful who your (FB) friends are

Two UCL computer scientists discover Facebook profile stalking loophole.

facebook loophole profile stalking

Two of Gower Street’s finest computer scientists, Shah Mahmood and Yvo Desmedt, this week ruffled the feathers of internet giant Facebook and forced an important and necessary change.

Mahmood, a student at UCL, and Desmedt, the chair of Information Communication Technology, discovered that by activating and then deactivating a Facebook account it was possible to see friends’ information without the friend being able to either defriend them or change their privacy settings.

In a research paper published at the beginning of the week, the pair labelled this loophole the “zero day privacy loophole” and compared it to the cloaking device used in ‘Star Trek’. Although neither a Star Trek fan nor a tech wizard, The Buzz understands that when a Facebook user deactivates their account they become “invisible” to others, making it impossible for users to change their privacy settings in response to the deactivated account.

Not content with only 750 million users, Mark Zuckerberg wants to encourage every user to not cancel their accounts for good; when an account is deactivated it is not, then, deleted and can be re-activated at any time. During this period of deactivation, the user can still receive updates from their friends and as Facebook does not alert users when their friends’ accounts are being activated and deactivated, they would be none the wiser if this was occurring and be unable to change their privacy settings.

This sort of loophole plays into the hands of stalkers as it means as soon as a potential victim is friended, they then have almost unrestricted access to that person’s private information as even if detected, they can deactivate and remain ‘cloaked’. The two UCL researchers demonstrated this with a test account, adding 4300 friends and maintaining information from their profile for at least 261 days through the ‘cloaking’ loophole.


Subsequently, the big wigs in Silicon Valley were put on red alert when the findings eventually reached them yesterday and showed their displeasure that they received the information publicly rather than privately: “While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London,” a Facebook spokesperson said in a statement.

“We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which provides researchers tools and bug reporting channels.”
"In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behaviour they observe on the site.”

Therefore, as of 2pm yesterday, Facebook confirmed that you would be able to unfriend deactivated users, thus highlighting the impact our boys have had not just on public safety awareness but on the policy of one of the world’s biggest companies.