The statistics are staggering. Facebook has some 750 million users, half of whom log in every day. The average user has 130 friends and spends about 60 minutes a day tinkering on the network.

It’s no secret that Facebook has had its fair share of controversies over privacy and consequently the network has been forced to change its privacy setting many times in its seven brief years of existence.

That controversy is set to continue. Today, Shah Mahmood and Yvo Desmedt at University College London say they have found a loophole in Facebook’s privacy settings that allows ongoing stalking of Facebook users in a way that is hard to spot and almost impossible to stop.

The flaw comes about because Facebook allows users to deactivate and reactivate their accounts in an unlimited and unrestricted way. While an account is deactivated, the privacy settings associated with that account cannot be changed. 

So if you friend somebody so that they can see your content and they then deactivate their account, you cannot change the privacy settings associated with that account until it is reactivated (unless you apply a global change to all your friends).

Mahmood and Desmedt’s attack involves asking people to friend them and then deactivating their account. They then reactivate for short periods of time, check their friends’ content and immediately deactivate the account again.

“The concept here is very similar to that of cloaking in Star Trek where Badass Blink or Jem’Hadar has to uncloak (be visible), even if only for a moment, to open fire,” they say.

The only way to stop this is to be online at the same time as the snooper reactivates and to change the privacy settings at that time or to change the privacy settings of all your friends or the group of friends that the attacker is in.

Mahmood and Desmedt tested this kind of cloaking attack over a 600 day period using a Facebook account set up under a pseudonym. During the first 285 days, they sent out 595 friend request of which 370 were accepted.  They also received 3969 friend requests which they accepted, giving them a total of over 4000 friends. 

They then went into “cloaking mode” by deactivating their account  and check on their friends regularly by reactivating for 10 minutes periods only, which is long enough to crawl hundreds of profiles and to keep track of any activity . “None of our friends could technically have unfriended us during this phase,” they say. 

Finally, they reactivated the account and left it idle for 60 days to see how many people unfriended them. In that time, 239 people unfriended, just over 5 per cent of the total. 

There are several reasons to think this is a potentially serious kind of attack. Cloaked attacks are hard to spot and even harder to stop. What’s more, a determined attacker can monitor not only individuals but the links between them, gaining valuable insight into the relationship between victims. Facebook recently added the ‘browse friendship’ feature which reveals information such as the date they became Facebook friends, the events they have both attended, their mutual friends and so on.

“Once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way,” say Mahmood and Desmedt. ,

Having said all that, Mahmood and Desmedt say the problem should be relatively easy to fix. Facebook could, for example, tell you when a friend has deactivated and keep track of those people who de- and re-activate on a regular basis. The company could also make it possible to change the privacy settings associated with deactivated friends. 

The only question is how quickly Facebook will react to this threat and in doing so add to the growing catalogue of changes it has been forced to make to its privacy features.

Ref: arxiv.org/abs/1203.4043: Your Facebook Deactivated Friend Or A Cloaked Spy

Update: 23 March 2012

Facebook sends the following statement via a PR agency:

“Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts. We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports.

While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London. We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels.  In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.”