He arrived on Wednesday, around the same time Facebook CEO Mark Zuckerburg’s Facebook fan page was hacked. Roy Castillo — the ghost "friend"with a man’s name and a profile pic of a teenage girl wearing sunglasses — popped up in the Facebook newsfeeds with the curt status: "Off to Danao City."
"Is anybody else getting random status updates from this person?" reads the first post in a Facebook Security discussion titled "Roy Castillo (Roy Castillo)" that now goes on for pages with posts from other Facebook users all over the world.
"Off to Danao City" couldn’t be deleted, and Roy couldn’t be blocked — because he wasn't in the friends lists of the profiles on which he appeared. Some said they tried deactivating and reactivating their Facebook accounts to get rid of him — it worked for one commenter, but not for others.
Then on Thursday, like Keyser Söze, he was gone, leaving little more than dozens of unanswered user questions, a Roy Castillo WTF Fan Page and a hilarious Twitter thread as proof he was ever there.
"Got up this morning and he was gone," writes one among several posters who reported the same. Like the others, this commenter tried fruitlessly to delete, block and report Roy Castillo as spam the night before, all to no avail. "Lets hope he stays gone!!"
And maybe he won't be back. Facebook did not respond to Technolog’s request for comment. But according to French security site Zazak, the bug that opened the door for Roy yesterday was reported, and slammed shut today.
Internet talk has it that the hacker behind the international ghost friending is a 19-year old programmer known as "creamownedz," who shared info about the bug in online forums Wednesday. It matches Zazak's report that the hacker took advantage of a cross site scripting vulnerability (XSS) that allows outsiders to add script to Web pages. In this case, that script pretty much contained Roy Castillo announcing his trip to a city in the Philippines (which, in case you didn’t know, is the country where Friendster is still king).
If Roy Castillo was a guest on your Facebook account, you still have some cleaning up to do. Guys like Roy tend to leave nasty code lying around. So clear out your computer cache and cookies, and then change your Facebook password. (You should do that reguarly, anyway.)
Keep in mind that Facebook launched two big security upgrades yesterday, Social Authentication and HTTPS encryption. The first means you may have to identify random pictures of your Facebook friends to prove you’re you. Odds are you’ll see at least one or two pictures from your friend profiles that you can’t identify — random babies, cartoon characters, etc. But Facebook gives you a few tries.
The HTTPS encryption, currently optional from your security settings, scrambles your Internet activity so important stuff such as your password can’t be picked up by prying eyes. Facebook points out that at this time, choosing HTTPS setting can slow down your Facebook account as encrypted pages take longer to load.
Still, this is an especially good option if you’re using Wi-Fi in a public area where your computer is particularly vulnerable. You never know where the next Roy Castillo is hanging out.
