Facebook accused of tracking logged-off users by Aussie hacker

By Stewart Mitchell on Sep 27, 2011 2:24 PM
Filed under Security

Aussie hacker points the finger.

Facebook continues to use cookies to follow people across the web, even when they're done using the site, according to Australian hacker and writer Nik Cubrilovic.

“Logging out of Facebook only de-authorises your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com,” Cubrilovic said in a blog post discussing the issue.

“Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.”

According to HTTP headers in traffic logs shown by Cubrilovic, Facebook sent nine different cookies, even after users logged out.

“This is not what 'logout' is supposed to mean - Facebook is only altering the state of the cookies instead of removing all of them when a user logs out,” he said.

Although Facebook said the tracking is to improve user experience, the logged-off tracking data could represent a useful source for mining users' habits, and pose a security risk on public computers.

“There are serious implications if you are using Facebook from a public terminal,” Cubrilovic said. “If you log in on a public terminal and then hit 'log out', you are still leaving behind fingerprints of having been logged in.

"As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy - as the same ID is used to identify your profile.”

Facebook feedback

Facebook has yet to respond to a request for comment from PC Pro, but the company appears to have used the blog itself to address the issue.

“I’m an engineer who works on login systems at Facebook. We haven’t done as good a job as we could have to explain our cookie practices,” Gregg Stefancik posted on the blog, adding that he believed there were inaccuracies in the assertions made.

“Generally, unlike other major internet companies, we have no interest in tracking people,” he said. "We don’t have an ad network and we don’t sell people’s information. Our cookies aren’t used for tracking.”

Stefancik, said the undeleted cookies were used to either “provide custom content (for example, your friend’s likes within a social plugin), help improve or maintain our service (measuring click-through rates to help optimise performance), or protect our users and our service (for example, defending denial of service attacks)”.

This article originally appeared at pcpro.co.uk

Follow us on Facebook and Twitter

Copyright © Alphr, Dennis Publishing


Facebook accused of tracking logged-off users by Aussie hacker
Top Stories
How to turn your old laptop into a Chromebook
Turn a sluggish Windows notebook into a speed machine.
Judge forces woman to give fingerprint to unlock iPhone
FBI warrant pins 29-year-old woman.
SMS chief falls on sword, 100 staffers gone
Chairman: "performance has been disappointing".
Sign up to receive CRN email bulletins
Meeting which tech founder would leave you most starstruck?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.