University College of London student, Shah Mahmood, along with Yvo Desmedt, Chair of Information Communication Technology, has discovered what they're labelling as a “zero day privacy hole” in Facebook.
The vulnerability which they call “deactivated friend attack” was presented at the IEEE International workshop on security and social networking in Switzerland. They say the attack works like this:
“Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.”
Complicating matters further is the fact that Facebook users aren't told when friends deactivate or reactivate accounts. Unless of course they're using plug-ins like Unfriend Finder, a simple browser extension which allows users to know when one of their friends either removes them as a contact or deactivates their account. Honestly, I don't see how this could be called an ATTACK - but oh well.