The Register reports that "Deactivated Friend Attack", was announced at the IEEE International workshop on Security and Social Networking SESOC 2012, held at Lugano, Switzerland on March 19th.
In 'Deactivated Friend attack' , attacker trick a user into accepting him as a friend. Once he become a friend of victim, he can deactivate his own account so that the victim cannot Unfriend the attacker. Facebook accounts can be deactivated and reactivated infinitely, facebook doesn't notify users when his friend has activated or deactivated their account.
Each time the attacker activates his account again, he can access the information posted by the victim. The victim would never know of that information-gathering effort,unless they happened to be paying attention to the temporarily uncloaked account.
"Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user.” Researchers said.
Researchers demonstrated the attack by making over 4300 Facebook friends and maintaining access to their Facebook profile information for a period of 261 days.
"No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims."Researcher said."We also provide several solutions for the loophole, which range from mitigation to a permanent solution".