Facebook this week issued a fix for Web cookies that continued to track browser activity after a user had logged out of the social-networking site, according to blogger and hacker Nik Cubrilovic.
Facebook confirmed the fix, but insisted that its users’ personal information was not compromised in any way.
In a Sunday blog post, Cubrilovic argued that Facebook can track your Web activity outside Facebook.com even if you have signed out of the service. “Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions,” he said at the time.
On that initial blog post, Gregg Stefancik, a Facebook engineer, posted a comment and said that Facebook “cookies aren’t used for tracking.”
In working with Cubrilovic over the past 48 hours, however, Facebook has identified several cookies that were unnecessarily saving user data after logout and after a browser restart. Cubrilovic has more of the technical details in an updated blog post, but as of today, the cookies, one of which identified your user account, are “destroyed on logout,” he said.
“Like every site on the Internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users’ computers inadvertently included unique identifiers when the user had logged out of Facebook,” according to Facebook’s Stefancik. “However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won’t include unique information in the future when people log out.”
Stefancik insisted there was “no security or privacy breach.”
Not all cookies will be deleted; those that remain are there primarily for security reasons, according to Facebook and Cubrilovic.
A cookie known as “datr,” for example, helps identify suspicious login activity, while another called “lu,” protects those using public computers, according to Facebook.
“These cookies, by the very purpose they serve, uniquely identify the browser being used—even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described,” Cubrilovic wrote.
There are other, less interesting cookies, Cubrilovic said, but they mainly “set things like the language of your browser and device dimensions.”
He was most interested, he said, in a “act” cookie, which included a timestamp in milliseconds.
“What interested me was that not only was the timestamp accurate to milliseconds (ie. thousandths of a second) but that an additional number was being added to it. My gut instinct was that the additional number … was being added to make the timestamp unique for each and every request. Facebook confirmed this,” he wrote. “I understand the technical reason for that – they can store the timestamp as a primary key in their logging backend and not have to associate benchmarking of each request back to a user. I believe Facebook here when they say that although this is a unique identifier it isn’t used to link back to a user id – but it is definitely being logged and it can be linked to a user.”
Overall, Cubrilovic said Facebook has changed as much as they can. “I would still recommend that users clear cookies or use a separate browser, though,” he said. “I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.”
Cubrilovic looked into the issue after a blogger expressed concern over Facebook’s new open graph “frictionless sharing” concept. Facebook teamed up with music sites like Spotify, Rdio, and Slacker toallow users to share listening habits. Those who download a Facebook-centric app from each of those services will share every single song they listen to with their Facebook friends. The same option will beavailable for Hulu and Netflix, at least outside the United States, as well as media sites like Yahoo News.
Facebook basically frames this as a hassle-free recommendation engine. You share your Web activity and maybe find some new artists, movies, or news stories based on what your friends are doing. Of course, the concern is that you might not want to share everything you’re doing outside of Facebook. Does everyone need to know you listened to a Justin Bieber song, read an article about how to get over your ex, or watched cartoons on Hulu? Stay tuned.
For more, see PCMag’s “When Facebook Gets Creepy” slideshow below.
This content is submitted as educational and is provided with the original author information and linked back to the original posting site when available. Any duplication of this content is strictly prohibited.
The Office of the Data Protection Commissioner of Ireland will launch a "comprehensive audit" of Facebook Ireland before the end of the month, DPC spokesperson Ciara O'Sullivan told TechNewsWorld on Friday.