According to The Register, the experts demonstrated that by leveraging the fact that Facebook accounts can be deactivated and reactivated infinitely without anyone noticing, someone could go unnoticed while snooping around on the accounts of others.
Facebook doesn’t notify users when another member has activated or deactivated his/her account, and when an account is inactive the person that owns it cannot be unfriended.
This means that in theory crooks can make a Facebook profile, befriend a large number of people and then cloak themselves by deactivating and reactivating the account.
The zero day privacy loophole, as the researchers call it in their “Your Facebook Deactivated Friend or a Cloaked Spy” study, can lead to “deactivated friend attacks.”
“The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way,” reads the extended abstract of the paper.
To demonstrate their theory, Mahmood and Desmedt made 4,300 Facebook friends and maintained access to their profiles for a period of 261 days. Because most of the time their test account was deactivated, none of the 4,300 individuals was able to unfriend them.
The short time period in which the profile was active was more than enough to get updates on the victims.
They state that the issue could be addressed if the social media network notified users each time someone activated or deactivated an account. Another mitigation variant would be to flag members who repeatedly perform these operations.