Facebook 'Cloaking' Flaw Revealed

Research undertaken by University College London student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt has uncovered a "zero day privacy loophole" in Facebook.

Named by the duo as "Deactivated Friend Attack", the revelation was announced at yesterday's IEEE International Workshop on Security and Social Networking SESOC 2012, held at Lugano, Switzerland.

The pair disclosed details of the attack: "Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend's list) or added to any specific list."

The dilemma behind this discovery is that Facebook users are not informed when friends deactivate or reactivate their accounts.

This could result in potential damage, as once the account is reactivated, the newly reactivated friend can then be given access to anything posted by their fellow connections. Once they have all the information they need, the account can then go into deactivation mode without their friends knowing what activity has taken place.

Labelling this act as 'cloaking', the pair stated that the only way to resolve this issue is to alert users of deactivations and reactivations - in order to keep track of any unusual behaviour. Flagging up accounts practising the cloaking method is another possible option, whilst eliminating the reactivation tool is also feasible.

Source: The Register