Your Facebook deactivated friend or a cloaked spy

With over 750 million active users, Facebook is the most famous social networking website. One particular aspect of Facebook widely discussed in the news and heavily researched in academic circles is the privacy of its users. In this paper we introduce a zero day privacy loophole in Facebook. We call this the deactivated friend attack. The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victims private information in a cloaked way. We demonstrate the impact of the attack by showing the ease of gaining trust of Facebook users and being befriended online. With targeted friend requests we were able to add over 4300 users and maintain access to their Facebook profile information for at least 261 days. No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims. We also provide several solutions for the loophole, which range from mitigation to a permanent solution.