Searching for blog posts tagged with 'dumbass researchers'

Facebook security "research"

Mar

20

I was under the assumption that UCL carried some respect for their computing department. Today I read an article in The Register titled "Facebook 'cloaking' flaw allows unexpected snooping" - yes, I know that The Register seem to now be 'The Sun' of tech news sites, all about a punny headline and trashy content, but they do quote their sources.

The 'researchers' at UCL list a several year old fairly obvious flaw of Facebook whereby you can 'friend' someone, and then deactivate your account. You're then free to reactivate your account, check the person out, and deactivate your account - this prevents them from removing you as a friend, as you won't show up in their friends list whilst deactivated.

What irritated me most about this is that they describe it as a "zero day privacy loophole". It's a shame to see that "zero day" is now just a meaningless buzz word, thrown about to try and whore some attention. This "attack" (yes, they call it a "Deactivated Friend Attack") has been known and talked about for at least a couple of years - and is evident if you've ever had a friend deactivate and reactivate their account, only to suddenly reappear in your friend list. It's a very short hop of common sense, not some giant leap of ingenuity that required "a lengthy experiment".

Worse, they go on to propose dreadful solutions - "notify users of de-activations and re-activations, so that odd behaviour can be spotted". Did they propose this so, if implemented, they can boast about their find of "DoS through means of mass messaging via repeated deactivating and reactivating of accounts"? One of their further two solutions are more reasonable - maintaining the person in their friends' lists, but marking them as deactivated (or "cloaked", if you want to sound awesome) - but then the account isn't really deactivated. Their other solution is just plain stupid, "removing re-activation features altogether" - so, uh, deleting the account?

Personally, I'd list this as "Do Not Fix". For this to work, you have to friend them in the first place. "Friend". If you've accepted their friend request, surely you're accepting that they're going to be able to view your information? You can't view extra information by expending the effort to keep deactivating and reactivating (on a large scale - it's not like you can do this on a friend-by-friend basis). Stop accepting friend requests from people you don't know!

If you are worried but still want to get your 'friend' count as high as possible, then it sounds like you're concerned about your privacy (in a skewed way...). That's great and bordering on being responsible! In this instance, you could maybe consider using Facebook's privacy controls? Set your posts to show to the friends you actually want to show them to - including the use of lists to define groups of friends you frequently want to show to. Ta-da, no more weird people you don't actually know that keep bobbing in and out.

If you've read this rant, then you deserve to be rewarded: