Starting today, I’m going to remove all my personal information from Facebook and “unfriend” everyone. I’m responding to a pair of status messages that appeared on my profile over the last few weeks, though I didn’t put them there. (John calls them “phantom status messages.”)
According to the site itself, the messages were both submitted “via Text Message”, which is odd because I haven’t authorized the Facebook Texts service. I submitted a bug report to Facebook Support, but so far they’ve done nothing aside from ask me to resubmit my request if I’m “still experiencing security issues.”
Just to be clear:
- My account hasn’t been “hacked”. I changed my password as soon as the first phantom status appeared, and that didn’t stop the second message two weeks later. Since the phantom messages came from the Facebook Texts service, they didn’t require my authentication anyway.
- My computer doesn’t have a virus. (If you know me at all, you’re chuckling at the idea.) Even if by some magical circumstance it did, the virus would have to send Facebook a text message somehow, and they’d still have to accept it.
That leaves two possibilities that I can see:
- It’s a bug. Some bit of Facebook code is misrouting another user’s text messages to my profile by accident.
- It’s a security exploit. A malicious user is exploiting some crack in Facebook’s text-message-handling code to drop messages in other users’ accounts. This is less likely, but not impossible; it would probably start with innocuous messages to test the exploit.
Either way, I no longer trust my Facebook account. The phantom messages have been benign so far, but all it would take is one generic hurtful statement to become a real nightmare. (Not to mention what this implies about Facebook’s security in general.)
I still plan to keep the account itself open, because I need it for work (to develop Facebook apps) and for space advocacy (as a page admin). I just won’t be posting to it, and it won’t be “friends” with anyone. I’ll miss the easy keeping-in-touch it provides, but that’s not worth the potential hassle.