Facebook could have a big problem on its hands with 'memorial page' vulnerability

facebook log in john herrman

In a post entitled "How Almost Anyone Can Take You Off Facebook (And Lock You Out)," BuzzFeed editor Katie Notopoulos demonstrates that it only takes a minute to deactivate someone's Facebook account, assuming someone with the same name died recently. Dropping a recent (in this case, six-month-old) obituary URL and your friend's email address into a "Memorialization" form can register their account as deceased and disable them from being able to log in.

It took about a day before victim (and fellow BuzzFeed editor) John Herrman was unable to access Facebook, he told The Verge, which implies Facebook did attempt to verify and confirm the memorialization request. The company chose to ignore the fact that "the names aren't even spelled the same: he's "Herrmann" (double R, double N) whereas the John I'm killing is "Herrman" (double R, single N)," Notopoulos writes. Once denied log-in to Facebook, Herrman clicked a button to send a preliminary re-activation email to himself.

If you're an avid Facebook user, getting locked out for any period of time is a big deal. It took Hermann about an hour to get his account re-activated, but he's also a member of the press. "So far 2 1/2 days, three or four reports, nothing even resembling a human response," tweeted @RustyK, who tipped off BuzzFeed to the vulnerability after being victimized by the prank.

This isn't the first time issues with Facebook's memorialization process have arisen. Back in 2009, Simon Thulbourn documented his travails in attempting to recover his account. "We try to take all necessary precautions when processing requests, and provide an appeals process for any possible mistake we may make," says Facebook Security team member Fred Wolens. While Facebook's Security team is formidable, it likely doesn't have the resources to quickly handle hundreds or thousands of requests if this vulnerability gets exploited by tons of users.

If you've been affected by the hack, and are thus officially dead on the internet, we'd recommend taking a little vacation while you wait for Facebook to get back to you.

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.