With over 845 million active users, Facebook is a great source of willingly shared information for anyone who can effectively become a “Facebook friend” with the targets.
And according to a pair of researchers from the University College London, the group of interested individuals and entities ranges from spammers, criminals and stalkers to marketers, agencies for background checking and even governments.
The attack itself is very easy to execute. The biggest problem for the attacker is to trick a user into accepting him as a “friend”, but once that is accomplished, he can deactivate his account and make it impossible for the user to remove him from his friend list.
Each time the attacker activates his account again, the information contained in the victim’s account is available to him for browsing. As the researchers point out, the attacker has a sort of a backdoor into the victim’s account any time he wants, and the victim can only de-friend him if he manages to do so during the (likely) short interval when the attacker’s account is activated.
This “deactivated friend attack” is possible because Facebook doesn’t set a limit to how many times users can deactivate and reactivate their accounts, and because it doesn’t notify users when a “friend” of theirs has done so.
Given that many, many users have no qualms of adding people they don’t know in real life to their Facebook friend list, the attack can be very effectively used by any of the aforementioned groups of people.
The Register reports that the researchers, who have shared their findings with the participants of the IEEE International Workshop on Security and Social Networking SESOC 2012 on Monday, have demonstrated the feasibility of the attack by befriending over 4300 users and maintaining access to their Facebook profile information for at least 261 days.
“No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions,” they said, adding that the short de-cloaking sessions were enough to get updates about the victims.
In order to foil this particular attack, Facebook must be willing to make some changes. The researchers advise notifying users of the deactivation and reactivation of their friends’ accounts – which seems reasonable – or removing the accounts reactivation option, which is something Facebook is unlikely to ever do.
UPDATE (3/23/2012): “Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts. We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports,” commented a Facebook spokesperson.
“While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London. We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.”