clock menu more-arrow no yes

Filed under:

Facebook could have a big problem on its hands with 'memorial page' vulnerability

New, 64 comments

Killing your friends on Facebook is shockingly easy

facebook log in john herrman
facebook log in john herrman

In a post entitled "How Almost Anyone Can Take You Off Facebook (And Lock You Out)," BuzzFeed editor Katie Notopoulos demonstrates that it only takes a minute to deactivate someone's Facebook account, assuming someone with the same name died recently. Dropping a recent (in this case, six-month-old) obituary URL and your friend's email address into a "Memorialization" form can register their account as deceased and disable them from being able to log in.

It took about a day before victim (and fellow BuzzFeed editor) John Herrman was unable to access Facebook, he told The Verge, which implies Facebook did attempt to verify and confirm the memorialization request. The company chose to ignore the fact that "the names aren't even spelled the same: he's "Herrmann" (double R, double N) whereas the John I'm killing is "Herrman" (double R, single N)," Notopoulos writes. Once denied log-in to Facebook, Herrman clicked a button to send a preliminary re-activation email to himself.

If you're an avid Facebook user, getting locked out for any period of time is a big deal. It took Hermann about an hour to get his account re-activated, but he's also a member of the press. "So far 2 1/2 days, three or four reports, nothing even resembling a human response," tweeted @RustyK, who tipped off BuzzFeed to the vulnerability after being victimized by the prank.

This isn't the first time issues with Facebook's memorialization process have arisen. Back in 2009, Simon Thulbourn documented his travails in attempting to recover his account. "We try to take all necessary precautions when processing requests, and provide an appeals process for any possible mistake we may make," says Facebook Security team member Fred Wolens. While Facebook's Security team is formidable, it likely doesn't have the resources to quickly handle hundreds or thousands of requests if this vulnerability gets exploited by tons of users.

If you've been affected by the hack, and are thus officially dead on the internet, we'd recommend taking a little vacation while you wait for Facebook to get back to you.