Facebook can track you even after logout -hacker

Facebook users, be warned: the social network giant may still be able to track you even after you log out of your session. This was the finding of an Australian hacker who said Facebook's "cookies" —bits of information saved on a user's computer— still lets Facebook keep tabs.

"(L)ogging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions," hacker Nik Cubrilovic said in a blog post.

He also noted Facebook's new application programming interface (API) allows applications to post status items to one's Facebook timeline without user intervention.

This may raise a privacy concern that "because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see."

Cubrilovic said that during logout, a number of Facebook cookies are not being deleted.

He noted two cookies (locale and lu) are given new expiry dates, and three new cookies (W, fl, L) are set.

When he made a subsequent request to www.facebook.com as a "logged out" user, he said the primary cookies that identify him as a user are still there.

"This is not what 'logout' is supposed to mean - Facebook (is) only altering the state of the cookies instead of removing all of them when a user logs out," he said.

Such a setup allows a supposedly logged-out user to still send his or her account ID to Facebook when he or she visits any page with a Facebook "Like" button, or share button, or any other widget.

"The only solution to Facebook not knowing who you are is to delete all Facebook cookies," he said.

Log-out experiments

Cubrilovic recalled an experiement where he created a number of fake Facebook accounts after logging out of his browser.

After using the fake accounts for some time, he found that they were suggesting his real account to him as a friend.

"Somehow Facebook knew that we were all coming from the same browser, even though I had logged out," he said.

He said these are serious implications if one uses Facebook from a public terminal.

"If you login on a public terminal and then hit 'logout,' you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser," he said.

He pointed out Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to a user.

"The strength of the 'same machine' value in the algorithm that works out friends to suggest may be low, but it still happens. This is also easy to test and verify," he said.

Reported to Facebook

Cubrilovic said he reported this issue to Facebook in a detailed email but got the "bounce-around."

He said the entire process was so flaky and frustrating that he did not bother sending them two XSS holes that he have also found in the past year.

"The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout,'" he said. — TJD, GMA News

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • Simbang lakad to Lolo Uweng VERA Files - The Inbox
    Simbang lakad to Lolo Uweng

    By April Anne Benjamin, VERA Files San Pedro, LAGUNA – For 14 Maundy Thursdays now, Inding Amoranto has prayed the rosary while walking the eight-kilometer distance from her house to the Shrine of Jesus in the Holy Sepulcher in the … Continue reading → …

  • Batangas women bear ‘the cross’ to save loved ones VERA Files - The Inbox
    Batangas women bear ‘the cross’ to save loved ones

    Text and photos by Jane Dasal, VERA Files Nasugbu, Batangas—At the break of dawn on Good Friday, Celilia Zafra donned a black dress and shrouded her face with a black cloth. Then she walked to a place called “putol na … Continue reading → …

  • Chronicling the komedya in Antique VERA Files - The Inbox
    Chronicling the komedya in Antique

    By Alex C. Delos Santos, VERA Files The first time Cecile Locsin-Nava, a scholar on cultural studies in Western Visayas, came to Antique around ten years ago was to gather data for a research on the korido, or Philippine narrative … Continue reading → …

POLL
Loading...
Poll Choice Options