Skip To Content
BuzzFeed News Home Reporting To You

Utilizamos cookies, próprios e de terceiros, que o reconhecem e identificam como um usuário único, para garantir a melhor experiência de navegação, personalizar conteúdo e anúncios, e melhorar o desempenho do nosso site e serviços. Esses Cookies nos permitem coletar alguns dados pessoais sobre você, como sua ID exclusiva atribuída ao seu dispositivo, endereço de IP, tipo de dispositivo e navegador, conteúdos visualizados ou outras ações realizadas usando nossos serviços, país e idioma selecionados, entre outros. Para saber mais sobre nossa política de cookies, acesse link.

Caso não concorde com o uso cookies dessa forma, você deverá ajustar as configurações de seu navegador ou deixar de acessar o nosso site e serviços. Ao continuar com a navegação em nosso site, você aceita o uso de cookies.

Invisible Facebook Friends Can See You, But You Can't See Them

Facebook zombies: You can't see them, you can't unfriend them, and you can't block them. Facebook friends are forever, whether you want them or not. Here's how anyone can use account deactivations as a creepy spying tool.

Posted on March 22, 2012, at 12:00 p.m. ET

Here's how Facebook is supposed to work: When you don't want to be someone's friend anymore, you unfriend them. Or, if you just want to keep certain things private, you can adjust their access settings. The ability to back out of a friendship is as vital online as it is off, which is why this is worrying: British security researchers Shah Mahmood and Yvo Desmedt have found a simple way to create un-unfriendable zombie accounts (via the Arxiv blog). Here's how it works:

1. Make a new account

Using an existing account works too, but the trick requires near-constant deactivation.

2. Add a bunch of friends

By day 285 of their experiment, the researchers had added 4339 friends to a fake account. These people didn't necessarily know that the account was fake, and may have mistaken its name for someone they knew. In any case, they voluntarily shared information with the owners of this account.

3. Deactivate the account

This will switch off, but not delete, your zombie account. Deactivated accounts no longer appear on other users' friend lists, and therefore can't be unfriended. Whatever the privacy settings were when they accepted your friend request are now permanently stuck.

4. Reactivate the account on demand

All you need to do to reactivate an account is log back in. All your old friends will be restored. Your friends will receive no notification of this, though, which makes it easy to log in quickly, access their profiles, then quickly deactivate again. As far as your friends are concerned, you're still gone and can't see their profiles. In reality, you're still friends and can see everything. There is no limit to the number of times a Facebook account can be reactivated.

This is more of a privacy quirk than a full-on exploit, but it's easy to imagine how people could abuse it: a jealous or abusive ex could "close" his account but still keep tabs on his partner; someone could mass-friend then deactivate in an effort to gather information about a group of people; a fired employee could invisibly stick around his company's Facebook network.

In order to kill a zombie Facebook friend you have to be online at the same time, notice it's active, and destroy its brain unfriend it. The researchers calculated the probability of someone seeing one of these zombie accounts on his active friends list at about 3/130, so good luck with that.

A BuzzFeed News investigation, in partnership with the International Consortium of Investigative Journalists, based on thousands of documents the government didn't want you to see.