It turns out that Facebook has some serious security flaws, as it appears as though the social network still tracks its users after they have logged out from the service. An analysis (via BetaNews) from Australian writer and hacker Nik Cubrilovic has uncovered the flaw after he studied the states of cookies before and after you log out from Facebook.
For those that aren’t aware, a “cookie” is an important part of authentication and log-on systems that stores data given from servers locally in your browser; however the improper use of cookies can lead to security flaws. All is normal in the cookie department while logging in to Facebook, but upon logout it was discovered that Facebook does not delete all the cookies that were created during log-in. In fact, two cookies are given new expiry dates and three new cookies are set.
Cubrilovic discovered that logging out of Facebook does not actually delete the primary user identification cookies, so even if you are logged out of your account, when you visit websites with any Facebook Like or Share button the information is sent back to Facebook. Cubrilovic states that the only way to overcome this form of tracking is delete all your Facebook cookies to ensure you are not tracked while you are logged out.
He also states that Facebook uses this information to suggest friends to you that use the same browser, which may be fine in most circumstances, but he goes on to mention the implications:
If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser.
Australian-born Nik Cubrilovic has mentioned this issue to Facebook on numerous occasions but has received no response so far.
13 Comments - Add comment