Facebook users, be warned: the social network giant may still be able to track you even after you log out of your session. This was the finding of an Australian hacker who said Facebook's "cookies" —bits of information saved on a user's computer— still lets Facebook keep tabs.
"(L)ogging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions," hacker Nik Cubrilovic said in a blog post.
He also noted Facebook's new application programming interface (API) allows applications to post status items to one's Facebook timeline without user intervention.
This may raise a privacy concern that "because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see."
Cubrilovic said that during logout, a number of Facebook cookies are not being deleted.
He noted two cookies (locale and lu) are given new expiry dates, and three new cookies (W, fl, L) are set.
When he made a subsequent request to www.facebook.com as a "logged out" user, he said the primary cookies that identify him as a user are still there.
"This is not what 'logout' is supposed to mean - Facebook (is) only altering the state of the cookies instead of removing all of them when a user logs out," he said.
Such a setup allows a supposedly logged-out user to still send his or her account ID to Facebook when he or she visits any page with a Facebook "Like" button, or share button, or any other widget.
"The only solution to Facebook not knowing who you are is to delete all Facebook cookies," he said.
Cubrilovic recalled an experiement where he created a number of fake Facebook accounts after logging out of his browser.
After using the fake accounts for some time, he found that they were suggesting his real account to him as a friend.
"Somehow Facebook knew that we were all coming from the same browser, even though I had logged out," he said.
He said these are serious implications if one uses Facebook from a public terminal.
"If you login on a public terminal and then hit 'logout,' you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser," he said.
He pointed out Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to a user.
"The strength of the 'same machine' value in the algorithm that works out friends to suggest may be low, but it still happens. This is also easy to test and verify," he said.
Reported to Facebook
Cubrilovic said he reported this issue to Facebook in a detailed email but got the "bounce-around."
He said the entire process was so flaky and frustrating that he did not bother sending them two XSS holes that he have also found in the past year.
"The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout,'" he said. — TJD, GMA News