Shah Mahmood and Yvo Desmedt, from University College London, told attendees at the IEEE International Workshop on Security and Social Networking on Monday, that they’ve discovered a privacy loophole – not a vulnerability – which allows an attacker to monitor a person over time in complete stealth. In fact, such a loophole is perfect for social engineering and Phishing attacks. [See Update at the bottom of this story, 3-22-2012]
“We call this the deactivated friend attack. The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way,” the researchers note.
This loophole – and it’s important that this is how it is viewed as it isn’t a vulnerability – is made possible by the fact that Facebook has never limited the number of times a person can deactivate and reactivate their account.
One of the longest running privacy-related issues on the social networking giant’s website is the fact that if a person deletes their account, the data related to that account remains. So, should the person ever return, account reactivation restores it to the state it was in the day it was turned off.
Once the attacker has gained the victim’s trust, which is earned simply by them accepting a friend request, the privacy loophole is immediately available. This is because once someone is added to a friends list on Facebook, if that person deactivates their profile, it is impossible to remove them. With cloaking enabled, they will not appear with the other friends on a given person’s list.
“With targeted friend requests we were able to add over 4300 users and maintain access to their Facebook profile information for at least 261 days. No user was able to un-friend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims,” Mahmood said.
The attack is very serious for several reasons, explains the paper on the topic. “First, it is very hard to detect this attack.”
“The attacker can activate her account at the moment least likely to be detected and crawl her victim’s profile for information, keeping an updated record. Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user, once befriended.”
After that there is the issue of security settings. Users who adjust their privacy settings cannot apply them to someone on their friends list who is cloaked. The only way around this is to apply privacy settings to all friends, or lists where the cloaked attacker was previously assigned. Given that the cloaked friend is always missing from the list of friends, person by person privacy settings will have no effect.
“Thirdly, when the attacker can closely monitor a few users on Facebook, they can get a deeper insight into a large network. The attacker could be a cloaked spy monitoring and analyzing them,” the paper explains.
“Facebook recently added the feature of browsing friendships. This would help the attacker in analyzing the bond between two of his victims by browsing their friendship, which provides information including the month and year since when they are Facebook friends, the events they both attended, their mutual friends, things they both like, their photos, the messages they wrote on each others wall, etc. This would give a very deep insight about the level of their relationship, the duration when they were more or less interactive, etc. This information could be used for several attacks including social engineering and social phishing attacks.”
In order to address the problem, users should be notified when a friend deactivates and reactivated their account, the researchers note. In addition, Facebook could flag and monitor accounts that are constantly cycled between a state of activation and deactivation.
Either option however, would mean changes to Facebook’s platform and backend, so it’s unknown if either option is viable.
Another change to Facebook that could help is actually displaying deactivated profiles that exist on a given friends list, with blurred profile images in order to make them stand out, and to allow privacy settings and list assignments to be applied to them along with others on the list. Finally, Facebook could offer permanent account deactivation, which is highly unlikely.
We’ve reached out to Facebook for comment, and will update the story if we hear back from them.
The research paper is here.
Facebook responded to our email. A spokesperson sent the following:
Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts. We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports.
While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London. We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.