Report: Facebook tracks you after you log out

It turns out that Facebook has some serious security flaws, as it appears as though the social network still tracks its users after they have logged out from the service. An analysis (via BetaNews) from Australian writer and hacker Nik Cubrilovic has uncovered the flaw after he studied the states of cookies before and after you log out from Facebook.

For those that aren’t aware, a “cookie” is an important part of authentication and log-on systems that stores data given from servers locally in your browser; however the improper use of cookies can lead to security flaws. All is normal in the cookie department while logging in to Facebook, but upon logout it was discovered that Facebook does not delete all the cookies that were created during log-in. In fact, two cookies are given new expiry dates and three new cookies are set.

Cubrilovic discovered that logging out of Facebook does not actually delete the primary user identification cookies, so even if you are logged out of your account, when you visit websites with any Facebook Like or Share button the information is sent back to Facebook. Cubrilovic states that the only way to overcome this form of tracking is delete all your Facebook cookies to ensure you are not tracked while you are logged out.

He also states that Facebook uses this information to suggest friends to you that use the same browser, which may be fine in most circumstances, but he goes on to mention the implications:

If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser.

Australian-born Nik Cubrilovic has mentioned this issue to Facebook on numerous occasions but has received no response so far.

Report a problem with article
Previous Story

Windows Phone 7.5 "Mango" is here!

Next Story

Rumor: Facebook iPad app to launch next week

13 Comments

Commenting is disabled on this article.

Not only that. Facebook traces you even if you don't have a Facebook account. A cookie is set whenever someone visits a site with "Like" embedded. From that moment on the visitor is traced.

For Firefox users an easy solution to stop cross-domain tracking via cookies is to do the following:

1. Open Firefox options/preferences
2. Switch to the Privacy tab
3. Select "Use custom settings for history"
4. Deselect "Accept third-party cookies"

Unlike Chrome, Firefox (and Opera AFAIK) features true third-party cookie blocking, i.e. it will neither allow third-party domains setting new cookies nor reading existing ones (Chrome allows the latter).

Gaara sama said,
so now on i will use Google + to talk to my friend since facebook is tracking people with ppl to know . this is not right.
yeah ... because Google would never track its users

/s

OR just add these lines to AdBlock:
||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~mail.google.com
||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~mail.google.com
||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~mail.google.com
||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~mail.google.com

You can remove mail.google.com if you want to block thumbnails of Facebook friends showing up in Gmail, too. Personally I like them there

The Dark Knight said,
Or, you can just use Facebook Disconnect for Chrome! Firefox users, get Ghostery!

Another reason I just can't switch to IE. Ghostery plugin for Firefox.