Invisible Facebook Friends Can See You, But You Can't See Them

Facebook zombies: You can't see them, you can't unfriend them, and you can't block them. Facebook friends are forever, whether you want them or not. Here's how anyone can use account deactivations as a creepy spying tool.

By
John Herrman
by John Herrman

BuzzFeed Staff

Here's how Facebook is supposed to work: When you don't want to be someone's friend anymore, you unfriend them. Or, if you just want to keep certain things private, you can adjust their access settings. The ability to back out of a friendship is as vital online as it is off, which is why this is worrying: British security researchers Shah Mahmood and Yvo Desmedt have found a simple way to create un-unfriendable zombie accounts (via the Arxiv blog). Here's how it works:

1. Make a new account

Using an existing account works too, but the trick requires near-constant deactivation.

2. Add a bunch of friends

By day 285 of their experiment, the researchers had added 4339 friends to a fake account. These people didn't necessarily know that the account was fake, and may have mistaken its name for someone they knew. In any case, they voluntarily shared information with the owners of this account.

3. Deactivate the account

This will switch off, but not delete, your zombie account. Deactivated accounts no longer appear on other users' friend lists, and therefore can't be unfriended. Whatever the privacy settings were when they accepted your friend request are now permanently stuck.

4. Reactivate the account on demand

All you need to do to reactivate an account is log back in. All your old friends will be restored. Your friends will receive no notification of this, though, which makes it easy to log in quickly, access their profiles, then quickly deactivate again. As far as your friends are concerned, you're still gone and can't see their profiles. In reality, you're still friends and can see everything. There is no limit to the number of times a Facebook account can be reactivated.

This is more of a privacy quirk than a full-on exploit, but it's easy to imagine how people could abuse it: a jealous or abusive ex could "close" his account but still keep tabs on his partner; someone could mass-friend then deactivate in an effort to gather information about a group of people; a fired employee could invisibly stick around his company's Facebook network.

In order to kill a zombie Facebook friend you have to be online at the same time, notice it's active, and destroy its brain unfriend it. The researchers calculated the probability of someone seeing one of these zombie accounts on his active friends list at about 3/130, so good luck with that.

Topics in this article

Skip to footer