To be safe, I browsed with "links."

"To make a test account, register on Facebook as you normally would. Then, when logged in to the test account, go to this URL: http://www.facebook.com/developers/become_test_account.php

Personally from reading only to this point I would assume that it makes a new account, rather than make the current account become a test account. Even though that description is embedded in the URL, it isn't in the English text.

The warnings come afterwards, starting "A few important things to note". I think the description is ambiguous, and don't get the impression that it will trash your personal FB account.

This is such a nasty security problem it's not even funny. I haven't (and daren't) try. But if people start putting that URL on lots of public sites, and people click on it, then it will make a lot of people angry with FB. That suggests a solution - post the direct link to HN and other sites and get enough people to click on it that FB has to respond. Not a nice solution though.

Even worse, it looks like it's a regular GET request, which isn't supposed to have these sorts of side effects. (Again, I haven't tried.)

That URL itself doesn't perform the action -- that page has a button that, when clicked, submits a form with POST. That is when the action happens. In addition, it appears that they have taken steps to prevent CSRF.

So no, it probably isn't a security issue. Just a flamingly idiotic interface issue that is causing some developers to lose their apps and waste massive amounts of time.

[Edit: Haha, finding and exploiting a security vulnerability would be an effective way to get attention, but it would definitely not be nice to all the people who would get messed up by it. I figure a HN post is a more constructive method. ]

also it does say "WARNING: Test accounts CANNOT be converted back to normal accounts and they are not allowed to access the Developer App." in bold above the button. not excusing them, but they did seem to make some effort.

You are completely right. I admit that I wasn't paying a lot of attention. I was in a mode of scanning-documentation-trying-to-figure-something-out. I didn't think that poking around the developer center could destroy my account.

Obviously I was wrong, and I'm kicking myself now. But still, it is absolutely stupid to make it that easy to wreck your account.

Because much of the time, users won't pay attention to paragraphs of text you put around prominent links and buttons.

[Edit] Also, the button says "Make Your Name a Test Account." I thought it was going to make a test account for me, not from me.

Which is how most people operate. It is the obligation of the interface designer to take into account that people rarely read the instructions.

This is only true up to a point - perhaps not when referring to instructions about how to interface with APIs or otherwise develop custom content for the site.

Indeed, people rarely read instructions - but sometimes they read them and misinterpret them, which is what I think happened here. I still think FB should make you confirm by clicking a button though, especially if there is no way to return your account to its normal state.

While I would also be quite irate if I was in your position, it does not sound like this can be blamed entirely on FB. My first parsing of "Make <your name> a Test Account" is that it means "the FB account with <your name> will be converted from a real account in to a test account".

Also,

> "To make a test account, register on Facebook as you normally would. Then, when logged in to the test account, go to this URL"

That also seems quite clear to me: Create a test account Log in to the test account Click "Make <your name> a Test Account"

That being said, I do agree - this should have required more confirmation. This could have been avoided with a simple message box saying "Hold up, are you sure? <Your name> will no longer be a normal FB user. All <Your name's> friends will be deleted, and you will not be able to admin any apps. If you want a test account in addition to your normal account, you need to..."

While I'm sympathetic to that being your first parsing, it certainly seems a bit off to me.

For example, if you pressed a button saying "Make myran a Cake" you probably would expect it to give you a cake.

If it made you INTO a cake, you'd probably be in tiers. (Sorry, couldn't resist.)

I'm not sure your example works because one would not normally expect a person to be turned into a cake, so the "give you a cake" reading is going to seem much more plausible.

If the button said "Make myran a genius", what would you expect to happen?

Like thalur says, the cake analogy is not entirely accurate, but you make a good point - the phrasing of the statement is ambiguous, and could be taken to mean two different things:

Convert <item> in to <an object> Create <an object> belonging to <item>

Given the ambiguity, FB should probably tweak the wording to make it as obvious as possible.

Off-topic, but I am always impressed with how people share differing viewpoints on HN. It actually feels like a "forum" in the original sense of the word, instead of a shouting match between warring egos with something to prove.

Here's a super-obvious fix: Facebook should show you what they're deleting.

It's easy to be confused about which user is currently signed in, even if you did create a new account you want to use for testing.

So FB should have an intermediary step that says: WARNING: you are setting this account to test mode. That will involve DELETING its links to 354 friends (list some of them), 23 pages (list some of them), 5 years worth of status updates, etc..

Or simply don't allow an account to be set to test mode if it has more than 2 friends or 5 status updates (etc... some reasonable test).

If you linked to the page with the button itself, and labelled the link something like "go here to sign up for the beta test of {awesomeapp}", you would probably get a massive number of people clicking it.

Clever idea -- human engineering can get past any kind of software security.

But I don't want fix this problem for myself by dragging more people into the pain. Thanks for trying to help, though.

You can still clickjack it, can't you?

Probably not, because pages inside Facebook proper don't display inside frames. Despite some terrible failings with providing support to the human beings who use their services, they've got good engineers doing security. :)

EDIT: I just confirmed this no longer works. =(

I think all you need to do is disassociate your account from the Developer Test Accounts network via your profile settings page: http://www.facebook.com/editaccount.php?networks

That should revert it to a regular account.

Damn. I was honestly hoping I'd just found a way to get rid of an old Facebook account that I no longer use, and despite having requested it be deleted on numerous occasions, still get email from.

Try the following link, it is supposed to really delete your account:

https://www.facebook.com/help/contact.php?show_form=delete_a...

I suppose I'll know in 14 days. Regards.

Thank you for pointing that out, but I tried that and it didn't work. The network simply doesn't appear in my list of networks. Other developers haven't been able to get this to work, either.

Thanks though!

Sorry, you're right, I just confirmed that it no longer works. I'm pretty sure that method worked just a few weeks ago though. =\ The changes are probably related to the test user overhaul that Facebook has been working on for the past few months. https://developers.facebook.com/blog/post/429

I bet you're right.

I'm glad they made the new system -- it looks really clean and useful. I just wish they hadn't left the old system halfway operating, so you can fall into it but not climb out.

And they really, really need to edit that blog post to point people to the new system. It is in the top place of the google results for "Facebook test account," and I'm sure it is misleading a lot of people. At the least into using the clumsy old system, and at the worst into destroying their accounts.

Does Firesheep still work with Facebook? How many times do you have one teenager at another teenager's house, with access to the computer? It just takes a minute and the damage is done.

Why on Earth would they have a misfeature like this?

Lucky. It took me about half an hour to figure out how to delete my account. On purpose.

I'm getting ready to have a 1 year birthday on deleting mine.

If only there were some way to post an event invitation to all your friends in a medium they check regularly :P

Is this relevant?

http://www.skybondsor.com/blog/undo-test-account-on-facebook

If so, the lesson here is that Google is your friend...

It is highly relevant, but it is also broken. The method stopped working recently (according to my experience and comments that are scattered around blog posts and the developer forum). Thank you though, for pointing it out! I wish it worked. :(

> If so, the lesson here is that Google is your friend...

Google and I have been working very hard trying to solve this problem. Ironically, though, right now I'm feeling a little afraid of all the big internet companies that my working life depends on, including my good friend Google.

I got my account back! Someone at Facebook evidently saw this, and (1) updated the blog post and (2) brought my account back to life. Thank you!

However, unless this was a general fix, it looks like other developers are still stranded:

http://news.ycombinator.com/item?id=2258827

Glad to hear you're unstuck jpadvo (http://news.ycombinator.com/item?id=2258827). If anyone else's real account is stuck in the Facebook Test Account network, please write in to us at http://www.facebook.com/devhelp and we'll help get you out. We've updated the old blog post you reference with a link to our new test account architecture (http://developers.facebook.com/blog/post/429) which you should use exclusively for creating and managing test accounts going forwards. Sorry for the confusion.

hello, can you please help me get out of test account?> I am in real trouble. i have writen to the link given above and nobody replied. please help me to get out of this.. thanks

This is why I never use my real Facebook account when developing apps. I have a special John Doe account from which I manage all my apps. I think this is the only solution to their incompetences.

I've considered that. The problem is that if they ever find out that the account is not a "real" account, they will disable it. And, unless you have other people as admins, all your apps will also be deleted.

Sharecropping is pretty rough, isn't it.

I know at least a few of you thought it... what would happen if people were tricked into clicking that link and button. Kind of an a-hole thing to do.

However, it does make me wonder how fast they might find a fix for it if it were to happen to enough people to make it a priority. Or even, how many people it would take to make it a priority.

Looks like they've updated the post:

"UPDATE 2/23/2011: See the latest test user documentation."

You say there was a button that said "Make [Your Name] a Test Account". I think it's pretty clear what that button does. If it were actually labeled "create test account" it might be different.

No, that sentence is ambiguous. Consider the phrase 'make me a sandwich', which has an identical structure and is understood the same way the OP understood 'Make [Your Name] a Test Account'.

And, if pressing a button labelled "Make Chad A Sandwich" turned you (irreversibly) into a sandwich, I can only imagine that you wouldn't be happy about the semantic ambiguity. :)

Clearly it's the "sudo make me a sandwich" button that would turn you into a sandwich.

You should ask this question on Quora.

Good idea. If the issue doesn't get resolved quickly I will. Thanks!

I just submitted it as a question here:

http://www.quora.com/I-accidentally-changed-my-Facebook-acco...

While it's still a good idea, you may have missed the original intention of my post.

If you look at the facebook blog post you mention (http://developers.facebook.com/blog/post/35/ ), the person who posted it was Charlie Cheever, the co-founder of Quora.

Haha, wow I get it now. Thank you! I just requested that he answer my question on Quora. Long shot that anything would come of it, I know, but worth trying.

Has this happened to anyone else? Does anybody here work at Facebook and know something about this?

I logged in with a former FB account and after clicking to the link, my account became a test account -all contacts became unclickable, no interactions I could make after that point.

Maybe they could pay more attention to warn users but the link itself named "become_test_account.php". I hope your account got fixed.

...and even better, they could also provide some way to undo it. I still can't believe such a drastic action is irreversible.

> I hope your account got fixed.

Thanks, it hasn't yet but I hope it will too.

Finally a way to totally nuke a facebook account. I thought that it was impossible.

I think it's interesting that the idea of deleting an account on a web service is "incomprehensible" (a bit out of context, but still relevant). It's kind of funny how reliant we've become on a few companies and services.

I think that a simple prompt for user's password before doing this would be an amazingly effective solution.

Finally, a way to delete your facebook account without that impossible to pass 2-week grace period.

But it's silly to have to tie one particular browser to one application in this way. You might conceivably want to switch browsers for some other purpose, especially if you're developing and testing an online application.

Mozilla profiles (do they still have those?) might work, though.

Yes, mozilla profiles still work, I use them regularly, exactly because of this kind of stuff, to put up a cookie barrier. For example, it's handy if you want to log into sites with multiple accounts.

i dont think thats relevant in this situation. your facebook profile is browser independent.

and to think, i clicked on this link hopeful of a way to permanently delete my facebook account instead of just "deactivating" it...

If you dig through the help for account deletion, the magic button is there. Some arbitrary number of days later your account is permanently deleted (as in deleted, not deactivated).

Worked as of Dec '10

This could be useful someday..

Looks like they have put some warning before using the test account.

Cool we can nuke facebook accounts! Quick lets get people to click there!

Sarcasm aside..doesn't this sound like an MS adventure?