Inheriting Facebook Friend Requests

Facebook calls it a feature :)

Last year in November (2017), I submitted to Facebook Whitehat a design flaw on their platform that could allow a stranger view your private account. Facebook security team replied and stated that this is actually a feature of Facebook (FB).

A Facebook account can be linked to either a phone number or an email address when being created. When you send a friend request to someone on FB and they ignore you, the request will remain forever pending. It seems like FB still keeps the friend requests even when the person you expect to accept your friend request, deletes their account. While the chances of reissuing an email account is minimal, phone numbers are prone to reuse and reissuing. So technically, if you sent a friend request to lets say Bob last year, and he never responded to your request and deactivated his account. If Alice gets Bob’s old number and use it in creating a Facebook account, she can decide to accept your friend request :)

I bought a couple of Airtel old suffix SIM cards (0735 and 0736) and tried to test if I could acquire someone's old friend requests. On the second attempt, I was able to inherit about 3 friend requests from the new account I created using 0736* (and viewed all their profile and account data). This can get spooky if I could identify the owner of the former account and spoof their identity.

All the steps I took to inherit the friend requests was documented and shared with the FB security team and their response was interesting. Even after providing the screenshots of other users personal data, FB claimed it’s a feature. I think it is a risky feature and violates some privacy laws and regulations such as the GDPR.

Facebook Response

Here is what I think Facebook can do to improve this so called feature and their lack of control over telcoms :

  1. Setting maximum age limit for friend requests that are not accepted or deleted (I currently have 3+ year-old friend requests sitting in my FB inbox).
  2. Another option is to set auto-reminders for Facebook users to act (delete or resubmit) 2 weeks old friend requests.
  3. Lastly, asking users for something unique (security questions or identify 5 commonly contacted users e.t.c ) to associate it with their account apart from a provided mobile number or email address.

At the moment, you can go and delete all friend requests on Facebook that you got snubbed and also remember to delete requests that you don’t plan to accept.

If I was a writer I’d have nice words to put here :) Purple Teamer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store