Facebook Logout CSRF

In this post i am going to explain one of my finding in facebook ,the logout CSRF. Although logout CSRF are annoying, it is not considered as security vulnerability. Facebook has the following link to unsubscribe emails . https://www.facebook.com/o.php?k=a6d163&u=yourid&mid=606dcb7G517b252cG247fb31G5 “u” parameter is your own facebook user id. if you replace it with any other id,

Find Inactive/Deactivated profiles in Facebook

While searching for bugs on facebook, i came across one link where you can find deactivated facebook accounts. The following link should work only to find your deactivated friends but it works for any profile on facebook. https://www.facebook.com/ajax/friends/inactive/dialog?id=100000331676021&__user=1367024940&__a=1&__dyn&__req=1e&__rev=   Where “id” is the id of the victim(it can be any id of random facebook user)