Computer scientists at UCL have found a loophole in Facebook's privacy settings that allows ongoing Facebook stalking in a way that is hard to track and almost impossible to stop.

The loophole -- discovered by Shah Mahmood and Yvo Desmedt -- relates to the functionality that lets Facebook users deactivate and reactivate their accounts in an unlimited way.

When an account is deactivated, the privacy settings associated with that account can't be changed. This means that if you befriend someone and then quickly deactivate your account, that person won't be able to restrict the access that you have to their Facebook page until you reactivate it -- unless they apply a global change to all of their friends.


Mahmood and Desmedt asked people to friend them and then deactivated their accounts. They would then reactivate their accounts for short periods of time, check their friends' content and then immediately deactivate the account. "The concept here is very similar to that of cloaking in Star Trek where Badass Blink or Jem'Hadar has to uncloak (be visible), even if only for a moment, to open ﬁre," they say.

The only way to stop the person from looking at your profile would be to be online at exactly the same time as the Facebook stalker reactivates their account and then change the privacy settings while the account is active.

Read next The NHS Test and Trace app has two flaws: QR codes and people The NHS Test and Trace app has two flaws: QR codes and people

The duo tested this sort of cloaking attack over 600 days using a pseudonymous Facebook account. They sent out 595 friend requests in the first 285 days, 370 of which were accepted. They also received 3,969 friend requests, which they accepted. This gave them a total of more than 4,000 friends.

Having amassed so many friends, they deactivated the account, only to reactivate it for 10-minute periods. During these 10-minute periods they would look at many profiles and track their activity.


Unless they knew when the profile would be reactivated, none of their friends could have technically unfriended the account during this phase. Eventually the duo reactivated the account and left it idle for 60 days. During that time, 239 people unfriended them.

The problem could be fixed relatively easily if Facebook told you when a friend deactivated their account or monitor accounts with deactivate and reactivate regularly.

It seems like a fairly convoluted way to access personal information. Does this concern you at all? Tell us in the comments.


We have contacted Facebook for comment on the loophole and will update this story when we hear from a spokesperson.

UPDATE 22/03/2012 21:15:

A Facebook spokesperson has issued the following statement: "Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts. We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports. "While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London. We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels. In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site."

Image: Flickr.com/Cherry Cyanide