Your Facebook deactivated friend or a cloaked spy

With over 750 million active users, Facebook is the most famous social networking website. One particular aspect of Facebook widely discussed in the news and heavily researched in academic circles is the privacy of its users. In this paper we introduce a zero day privacy loophole in Facebook. We call this the deactivated friend attack. The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way. We demonstrate the impact of the attack by showing the ease of gaining trust of Facebook users and being befriended online. With targeted friend requests we were able to add over 4300 users and maintain access to their Facebook profile information for at least 261 days. No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims. We also provide several solutions for the loophole, which range from mitigation to a permanent solution.

[1]  Andrew T. Duchowski,et al.  Eye Tracking Methodology: Theory and Practice , 2003, Springer London.

[2]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[3]  Lei Li,et al.  Inferring privacy information via social relations , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[4]  Frank Stajano,et al.  Eight friends are enough: social graph approximation via public listings , 2009, SNS '09.

[5]  George Danezis,et al.  The Economics of Mass Surveillance and the Questionable Value of Anonymous Communications , 2006, WEIS.

[6]  Bhavani M. Thuraisingham,et al.  Inferring private information using social network data , 2009, WWW '09.

[7]  Wendy E. Mackay,et al.  Triggers and barriers to customizing software , 1991, CHI.

[8]  Danah Boyd,et al.  Detecting Spam in a Twitter Network , 2009, First Monday.

[9]  Tom A. B. Snijders,et al.  Social Network Analysis , 2011, International Encyclopedia of Statistical Science.

[10]  Melissa de Zwart,et al.  Will u friend me? Legal Risks and Social Networking Sites , 2011 .

[11]  Evangelos P. Markatos,et al.  Using social networks to harvest email addresses , 2010, WPES '10.

[12]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[13]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[14]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[15]  Ian R. Kerr To Observe and Protect? How Digital Rights Management Systems Threaten Privacy and What Policy Makers Should Do About it , 2008 .

[16]  John Scott What is social network analysis , 2010 .

[17]  George Danezis,et al.  Prying Data out of a Social Network , 2009, 2009 International Conference on Advances in Social Network Analysis and Mining.