1000 close Facebook friends

In a previous post I’ve mentioned how much your personal information is worth. Remember – if something is free, the price is you. A common Facebook type of scam is the «cloaked spy» or «deactivated friend» in order to get people’s information. The weak link is, once more, naive users who accept friend requests from total strangers.

Mahmood and Desmedt (2012) managed, in 2012, to befriend 4300 users and maintain access to all their Facebook information for 261 days. Once they had an accepted friend request, they deactivated their account only to re-activate it a little while later. This was done repeatedly, as deactivation on Facebook is possible to undo for a certain amount of time after you first decided to leave. This way, the users were not able to de-friend them, and during the time they were re-activated, plenty of personal information could be gathered from their «friends». Information gathered included real names, date of birth, gender, sexual orientation, address, e-mail addresses, phone numbers, family relations, instant messenger usernames from up to 19 applications, activities and interests among a few. A complete and authenticated profiling of a person and I am sure in some cases, enough to ensure identity theft. You can read more about it in Technology Review.

Facebook launched an investigation and sent out a PR-statement saying they fixed the issue. This was in 2012, however one of my actual, real friends on Facebook experienced this just this week. Someone impersonated her, asking all her friends to re-friend. Some people accepted, thinking it was her, and voila – the account was deactivated again before my real friend could alert her circle of friends about the impersonator.

This is what Facebook said in 2012:

“Earlier this week a team of security researchers described a theoretical flaw in our user interface; users have been previously unable to unfriend deactivated accounts. We quickly worked to resolve this issue, and were able to deploy a modification to our UI within 48 hours of receiving these reports.

While we appreciate all work done to help keep Facebook safe, we have several legitimate concerns about this research by the University College London. We were disappointed that this was not disclosed to us through our Responsible Disclosure Policy and was done in violation of our terms. We encourage all of the security community to make use of our White Hat program, which providers researchers tools and bug reporting channels.  In addition, as always, we encourage people to only connect with people they actually know and report any suspicious behavior they observe on the site.”

Another problem I have encountered myself, is the situation where you are added to a group without being given notice. I find it very surprising that this is still allowed, as it’s been going on for a while. In a group, any friend might add you. And we all known that our Facebook friends are up-close and personal aquaintances, right? Or, based on the 4300 users in the experient above, maybe not. I also suspect it is possible to change the name/type of group after you have become a member. I have experienced being member of political groups recently that I am very certain I have not signed up for. Have a look through your groups and “Like!” pages every now and then, and maybe your “friend”-list too.



  1. Mahmood and Y. Desmedt. (2012) ‘Your Facebook deactivated friend or a cloaked spy’, Anonymous Pervasive Computing and Communications Workshops (PERCOM Workshops), 2012 IEEE International Conference on, Pervasive Computing and Communications Workshops (PERCOM Workshops), 2012 IEEE International Conference on, pp.367-73.

Technology Review (2012) ‘Facebook Privacy Compromised By Cloaking Attacks’. Available from:  http://www.technologyreview.com/s/427294/facebook-privacy-compromised-by-cloaking-attacks/ (Accessed: 18.11.2016)

Image source: Wokandapix, Pixabay, CC0 public domain. https://pixabay.com/en/rock-craft-people-friends-support-1771913/