

Warn HN: How to accidentally, irreversibly nuke your Facebook account - jpadvo

I had decided to set up a test account for an app I'm developing, so I googled "Facebook test account" and found this blog entry at position #1:<p>http://developers.facebook.com/blog/post/35/<p>I skimmed it for a link and clicked. The page loaded, I clicked the big button in the middle that said something like "Make [Your Name] a Test Account"...<p>...and my Facebook account was made unable to interact with friends and apps.<p>My real Facebook account. The one I use (well, formerly used) to admin multiple apps. The one I formerly used to keep in touch with hundreds of friends.<p>Instead of making a test account <i>for</i> me, it had made a test account <i>out of me.</i><p>I contacted Facebook support, but other developers on the forum have done so with no luck. This is sickening.
<i>Who in their right mind creates a button labeled "create test account" that irreversibly destroys the account of the person using the system?</i><p>And who, having committed such an atrocity of design, doesn't even help the people who accidentally click it? It is incomprehensible.<p>[Edit: It gets WORSE, if that is possible. The method that blog post talks about is outdated. It shouldn't be used any  more. There is a much cleaner way to manage test users through official apis. They could at least edit that post to point to the up-to-date information. ]
======
dalke
To be safe, I browsed with "links."

"To make a test account, register on Facebook as you normally would. Then,
when logged in to the test account, go to this URL:
<http://www.facebook.com/developers/become_test_account.php>

Personally from reading only to this point I would assume that it makes a new
account, rather than make the current account become a test account. Even
though that description is embedded in the URL, it isn't in the English text.

The warnings come afterwards, starting "A few important things to note". I
think the description is ambiguous, and don't get the impression that it will
trash your personal FB account.

This is such a nasty security problem it's not even funny. I haven't (and
daren't) try. But if people start putting that URL on lots of public sites,
and people click on it, then it will make a lot of people angry with FB. That
suggests a solution - post the direct link to HN and other sites and get
enough people to click on it that FB has to respond. Not a nice solution
though.

Even worse, it looks like it's a regular GET request, which isn't supposed to
have these sorts of side effects. (Again, I haven't tried.)

~~~
jpadvo
That URL itself doesn't perform the action -- that page has a button that,
when clicked, submits a form with POST. _That_ is when the action happens. In
addition, it appears that they have taken steps to prevent CSRF.

So no, it probably isn't a security issue. Just a flamingly idiotic interface
issue that is causing some developers to lose their apps and waste massive
amounts of time.

[Edit: Haha, finding and exploiting a security vulnerability would be an
effective way to get attention, but it would definitely not be nice to all the
people who would get messed up by it. I figure a HN post is a more
constructive method. ]

~~~
catshirt
also it does say " _WARNING: Test accounts CANNOT be converted back to normal
accounts and they are not allowed to access the Developer App._ " in bold
above the button. not excusing them, but they did seem to make some effort.

~~~
jpadvo
You are completely right. I admit that I wasn't paying a lot of attention. I
was in a mode of scanning-documentation-trying-to-figure-something-out. I
didn't think that poking around the developer center could destroy my account.

Obviously I was wrong, and I'm kicking myself now. But still, it is absolutely
_stupid_ to make it that easy to wreck your account.

 _Because much of the time, users won't pay attention to paragraphs of text
you put around prominent links and buttons._

[Edit] Also, the button says "Make Your Name a Test Account." I thought it was
going to make a test account _for_ me, not _from me._

~~~
mryan
While I would also be quite irate if I was in your position, it does not sound
like this can be blamed entirely on FB. My first parsing of "Make <your name>
a Test Account" is that it means "the FB account with <your name> will be
converted from a real account in to a test account".

Also,

> "To make a test account, register on Facebook as you normally would. Then,
> when logged in to the test account, go to this URL"

That also seems quite clear to me: Create a test account Log in to the test
account Click "Make <your name> a Test Account"

That being said, I do agree - this _should_ have required more confirmation.
This could have been avoided with a simple message box saying "Hold up, are
you sure? <Your name> will no longer be a normal FB user. All <Your name's>
friends will be deleted, and you will not be able to admin any apps. If you
want a test account in addition to your normal account, you need to..."

~~~
encoderer
While I'm sympathetic to that being your first parsing, it certainly seems a
bit off to me.

For example, if you pressed a button saying "Make myran a Cake" you probably
would expect it to give you a cake.

If it made you INTO a cake, you'd probably be in tiers. (Sorry, couldn't
resist.)

~~~
thalur
I'm not sure your example works because one would not normally expect a person
to be turned into a cake, so the "give you a cake" reading is going to seem
much more plausible.

If the button said "Make myran a genius", what would you expect to happen?

------
PCheese
EDIT: I just confirmed this no longer works. =(

I think all you need to do is disassociate your account from the Developer
Test Accounts network via your profile settings page:
<http://www.facebook.com/editaccount.php?networks>

That should revert it to a regular account.

~~~
jpadvo
Thank you for pointing that out, but I tried that and it didn't work. The
network simply doesn't appear in my list of networks. Other developers haven't
been able to get this to work, either.

Thanks though!

~~~
PCheese
Sorry, you're right, I just confirmed that it no longer works. I'm pretty sure
that method worked just a few weeks ago though. =\ The changes are probably
related to the test user overhaul that Facebook has been working on for the
past few months. <https://developers.facebook.com/blog/post/429>

~~~
jpadvo
I bet you're right.

I'm glad they made the new system -- it looks really clean and useful. I just
wish they hadn't left the old system halfway operating, so you can fall into
it but not climb out.

And they really, really need to edit that blog post to point people to the new
system. It is in the top place of the google results for "Facebook test
account," and I'm sure it is misleading a lot of people. At the least into
using the clumsy old system, and at the worst into destroying their accounts.

------
btilly
Does Firesheep still work with Facebook? How many times do you have one
teenager at another teenager's house, with access to the computer? It just
takes a minute and the damage is done.

Why on Earth would they have a misfeature like this?

------
stanmancan
Lucky. It took me about half an hour to figure out how to delete my account.
On purpose.

~~~
kordless
I'm getting ready to have a 1 year birthday on deleting mine.

~~~
nopassrecover
If only there were some way to post an event invitation to all your friends in
a medium they check regularly :P

------
onan_barbarian
Is this relevant?

<http://www.skybondsor.com/blog/undo-test-account-on-facebook>

If so, the lesson here is that Google is your friend...

~~~
jpadvo
It is highly relevant, but it is also broken. The method stopped working
recently (according to my experience and comments that are scattered around
blog posts and the developer forum). Thank you though, for pointing it out! I
wish it worked. :(

> If so, the lesson here is that Google is your friend...

Google and I have been working very hard trying to solve this problem.
Ironically, though, right now I'm feeling a little afraid of all the big
internet companies that my working life depends on, including my good friend
Google.

------
jpadvo
I got my account back! Someone at Facebook evidently saw this, and (1) updated
the blog post and (2) brought my account back to life. Thank you!

However, unless this was a general fix, it looks like other developers are
still stranded:

<http://news.ycombinator.com/item?id=2258827>

------
jbowen
Glad to hear you're unstuck jpadvo
(<http://news.ycombinator.com/item?id=2258827>). If anyone else's real account
is stuck in the Facebook Test Account network, please write in to us at
<http://www.facebook.com/devhelp> and we'll help get you out. We've updated
the old blog post you reference with a link to our new test account
architecture (<http://developers.facebook.com/blog/post/429>) which you should
use exclusively for creating and managing test accounts going forwards. Sorry
for the confusion.

~~~
tuneupsanjeev
hello, can you please help me get out of test account?> I am in real trouble.
i have writen to the link given above and nobody replied. please help me to
get out of this.. thanks

------
cool-RR
This is why I never use my real Facebook account when developing apps. I have
a special John Doe account from which I manage all my apps. I think this is
the only solution to their incompetences.

~~~
jpadvo
I've considered that. The problem is that if they ever find out that the
account is not a "real" account, they will disable it. And, unless you have
other people as admins, _all your apps will also be deleted._

~~~
jrockway
Sharecropping is pretty rough, isn't it.

------
mendicant
I know at least a few of you thought it... what would happen if people were
tricked into clicking that link and button. Kind of an a-hole thing to do.

However, it does make me wonder how fast they might find a fix for it if it
were to happen to enough people to make it a priority. Or even, how many
people it would take to make it a priority.

------
jesseendahl
Looks like they've updated the post:

"UPDATE 2/23/2011: See the latest test user documentation."

------
what
You say there was a button that said "Make [Your Name] a Test Account". I
think it's pretty clear what that button does. If it were actually labeled
"create test account" it might be different.

~~~
chad_oliver
No, that sentence is ambiguous. Consider the phrase 'make me a sandwich',
which has an identical structure and is understood the same way the OP
understood 'Make [Your Name] a Test Account'.

~~~
duskwuff
And, if pressing a button labelled "Make Chad A Sandwich" turned you
(irreversibly) into a sandwich, I can only imagine that you wouldn't be happy
about the semantic ambiguity. :)

------
rottencupcakes
You should ask this question on Quora.

~~~
jpadvo
Good idea. If the issue doesn't get resolved quickly I will. Thanks!

~~~
jpadvo
I just submitted it as a question here:

[http://www.quora.com/I-accidentally-changed-my-Facebook-
acco...](http://www.quora.com/I-accidentally-changed-my-Facebook-account-into-
a-test-account-How-do-I-undo-this)

~~~
rottencupcakes
While it's still a good idea, you may have missed the original intention of my
post.

If you look at the facebook blog post you mention
(<http://developers.facebook.com/blog/post/35/> ), the person who posted it
was Charlie Cheever, the co-founder of Quora.

~~~
jpadvo
Haha, wow I get it now. Thank you! I just requested that he answer my question
on Quora. Long shot that anything would come of it, I know, but worth trying.

------
jpadvo
Has this happened to anyone else? Does anybody here work at Facebook and know
something about this?

~~~
pinguar
I logged in with a former FB account and after clicking to the link, my
account became a test account -all contacts became unclickable, no
interactions I could make after that point.

Maybe they could pay more attention to warn users but the link itself named
"become_test_account.php". I hope your account got fixed.

~~~
jpadvo
...and even better, they could also provide some way to undo it. I still can't
believe such a drastic action is irreversible.

> I hope your account got fixed.

Thanks, it hasn't yet but I hope it will too.

------
jschlesser
Finally a way to totally nuke a facebook account. I thought that it was
impossible.

------
cont4gious
I think it's interesting that the idea of deleting an account on a web service
is "incomprehensible" (a bit out of context, but still relevant). It's kind of
funny how reliant we've become on a few companies and services.

------
eordano
I think that a simple prompt for user's password before doing this would be an
amazingly effective solution.

------
audyyy
Finally, a way to delete your facebook account without that impossible to pass
2-week grace period.

------
pan69
That's why you'd use browser A (say Chrome) for browsing and browser B (say
Firefox) for anything to do with development.

~~~
waqf
But it's silly to have to tie one particular browser to one application in
this way. You might conceivably want to switch browsers for some other
purpose, _especially_ if you're developing and testing an online application.

Mozilla profiles (do they still _have_ those?) might work, though.

~~~
wladimir
Yes, mozilla profiles still work, I use them regularly, exactly because of
this kind of stuff, to put up a cookie barrier. For example, it's handy if you
want to log into sites with multiple accounts.

------
notlion
This could be useful someday..

------
wiks
Looks like they have put some warning before using the test account.

------
shareme
Cool we can nuke facebook accounts! Quick lets get people to click there!

Sarcasm aside..doesn't this sound like an MS adventure?

