Your Facebook Deactivated Friend or a Cloaked Spy (Extended Abstract)

TL;DR

This paper reveals a zero-day privacy loophole on Facebook called the deactivated friend attack, allowing attackers to maintain indefinite access to users' private information through cloaking techniques.

Contribution

It introduces the deactivated friend attack, demonstrating its feasibility and impact, and proposes solutions to mitigate this privacy vulnerability.

Findings

Able to add over 4300 users using targeted requests

Maintained access for at least 261 days without detection

Short de-cloaking sessions provided ongoing updates

Abstract

With over 750 million active users, Facebook is the most famous social networking website. One particular aspect of Facebook widely discussed in the news and heavily researched in academic circles is the privacy of its users. In this paper we introduce a zero day privacy loophole in Facebook. We call this the deactivated friend attack. The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way. We demonstrate the impact of the attack by showing the ease of gaining trust of Facebook users and being befriended online. With targeted friend requests we were able to add over 4300 users and maintain access to their Facebook profile information for at least 261 days. No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims. We also provide several solutions for the loophole, which range from mitigation to a permanent solution