Here's how Facebook is supposed to work: When you don't want to be someone's friend anymore, you unfriend them. Or, if you just want to keep certain things private, you can adjust their access settings. The ability to back out of a friendship is as vital online as it is off, which is why this is worrying: British security researchers Shah Mahmood and Yvo Desmedt have found a simple way to create un-unfriendable zombie accounts (via the Arxiv blog). Here's how it works:
1. Make a new account
2. Add a bunch of friends
3. Deactivate the account
4. Reactivate the account on demand
This is more of a privacy quirk than a full-on exploit, but it's easy to imagine how people could abuse it: a jealous or abusive ex could "close" his account but still keep tabs on his partner; someone could mass-friend then deactivate in an effort to gather information about a group of people; a fired employee could invisibly stick around his company's Facebook network.
In order to kill a zombie Facebook friend you have to be online at the same time, notice it's active, and destroy its brain unfriend it. The researchers calculated the probability of someone seeing one of these zombie accounts on his active friends list at about 3/130, so good luck with that.