University College London research student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt have told a conference of what they call a “zero day privacy loophole” in Facebook. Details of the loophole, which the pair name “Deactivated Friend Attack” was presented at the IEEE International Workshop on …
for some reason, I keep thinking of that song "Star Trekking"
"We come in peace, shoot to kill..."
On a more serious (& cynical) note, I have my reservations as to this being a programming/execution error, given Faceplants track record with privacy.
When an account is deactivated, remove it from other people's 'friend' lists, and remove everyone from their own 'friend' list. That eliminates this technique entirely, far more effective than some warning that most people will ignore. Even if users are aware of what's happening, it doesn't matter much if they still can't 'unfriend' the account in question.
Of course, this requires Facebook to delete information, so it will never happen.
Barely a flaw, maybe a tiny crack?
Flaw? This is a bonefide feature of StalkerVille!
Seriously though, this is hardly some major exploit, hack, or even a flaw. If people add complete strangers to their friends list then that's their own choice, and those strangers have access to everythinng that any other friend has access to. Unless you're fussy about privacy settings on Facebook, in which case you'd be very unlikely to add a stranger in the first place!
This is the first time I have seen Farcebook being referred to as Stalkkerville, superbly apt!
Facebook started offering as a friend a largely empty account. It had no friends in common (or friends at all) or a photo, but did have my ex's name. I assume it decided this account was spending so much time looking at my page that it must be a 'friend'. Hope he enjoyed my rather bland wasteland of a FB page.
Works as intended
Face it, the whole of Stalkerbook is a 'zero day privacy lophole'.
The fix, say I...
I can't believe nobody's thought of this, but... why not just *not* have all your sensitive and private information on Facebook in the first place?
Additionally, don't add random strangers to your friends list. This doesn't bypass the issue of malicious friends, but in that case, you'd best start re-evaluating your life. With friends like that, etc.
Alert, Jason Togneri. You have been deemed a danger to the integrity of the hive mind. Remain where you are and await an enforcement node that will escort you to the nearest rehabilitation centre for evaluation and treatment. If treatment is unsuccessful you will be permanently disconnected from the hive and terminated.
Seems to me an easy fix...
...the users don't need to be notified or anything, all that needs to happen is that FB still show deactivated users in the friends list, so that people can remove their access if they want to. The deactivation feature is more likely to be used by people who want to go on hiatus or genuinely leave FB than for this (marginally useful) purpose.
Don't see why it's a big thing - as a couple of people have already mentioned, it's not like you haven't already explicitly given access to this "person" to your information.
Re: Seems to me an easy fix...
Completely agree, that definitely sounds like the easiest option to me, and of course it also gives those of us who have various restricted access groups setup the option to either move someone into a more restrictive group in case they do reappear, or simply remove them entirely.
Hardly seems like a major issue to me though, oh no, someone reactivating their account has the same restricted view to my account that they did before, boo hoo. Oh wait, perhaps that's because I don't friend everyone in sight, I don't accept requests from people I don't actually know, and only a select few people who I know really well get unfettered access to my account, the rest get a more restricted view. Nah that can't be it, we're all doomed, the world is about to end, etc etc etc...
Maybe only add _friends_ to you friends list then.
If you add ForeignSlut57 Won Hung Dong and Debbie 'T-V Ejaculatrix' Jones you really deserve everything you get. Facebook, shite as it is, is at least Darwinian in that respect...
What about impersonation?
Someone pretends to be somebody who is a friend of yours, but they're actually someone else. An enemy.
Maybe you don't think that normal people have enemies? But cases have been mentioned already, e.g. ex-wife.
And because you thought it was a friend, you've friended them.
Whatever that means to you young people. It sounds dirty.
Unfriend finder tells you when people deactivate and reactivate their accounts. I'm not sure why those features haven't been rolled into the main site, to be honest.
This is self-evident, and I "researched" it several years ago... Can I have some grant money please?
Did they raise it with Facebook before telling the rest of the world about it? (Obvious or not)
If it's not obvious then they cou ld patent it...
I think a lot of us realised this about 2 years ago! I have an old friend that was doing it to me and spying on me for my ex-gf :s Fortunately I knew her email address so added her to my block list that way
It needs either a minimum period between switches between active and inactive (say a week) to prevent the stealthyness, or just clear friend list with a reconnect option to re-send friend requests on activation.
Another security flaw to add to the pile of previous ones found in Farcebook.... step ladder anyone, I can't reach the top!
Where is the flaw in this exactly?
Not really a security flaw is it. It's like somebody putting your number in their phone, and then expecting your number to be automatically deleted off their phone when your phone gets deactivated. It just dosnt happen
Yes it's a security problem
I think some people are missing why this could be a legitimate problem even if you're not dumb enough to just friend random people. Actually, if you are that dumb it probably won't bother you are all.
Lets look at this in comparison to some more traditional security systems. Telling someone a password, issuing a digital certificate and friending. What do they all have in common? They indicate trust. They do not however indicate eternal trust. Passwords can be changed, certificates can be revoked, and friends can be unfriended... or that's how it was supposed to work.
See why it's a problem now?
want want want
Employer has your:
Home and mobile numbers
SSN or National ID Number
Drivers license or ID number
Insurance risk info
And now, not just a mere list of your social profiles and a privileged guest account, but also your password.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16