According
to an Australian Hacker, Facebook is tracking your activity even after
you are logged from the Social Networking Website, using its Cookies.
"Logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions," quoting a statement by the Hacker Nik Cubrilovic.
He also noticed that Applications can post status items directly into a user's timeline using the new Programming API without any intervention from the user. This primarily means that you can be sharing items with your friends/wall which you do not intend to share at all.
Cubrilovic mentioned that upon logout all the cookies should be deleted which is presently not happening. He also mentioned the name of two cookies - locale and lu are given new expiry dates, and three more, new cookies (W, fl, L) are set on your Computer upon Logout.
So basically, the primary cookies which identify you as a user are not getting deleted upon logout but only there state is changed. Since the cookies have not been deleted, facebook can easily track the user's activity when he/she visits any website which has the Facebook iframe which is present on all websites which have the facebook Like, Share or other social Plugins. The only option to secure yourself is to delete all the cookies manually.
Cubrilovic also wrote about a very interesting experiment. After logging out of his real account, he created a number of fake accounts on Facebook. After a period of time, these fake accounts presented friendship suggestions with his real account indicating that even after logout from this real account, the data was still being linked out in some manner.
"Somehow Facebook knew that we were all coming from the same browser, even though I had logged out," he said.
Further, there can be multiple issues if one uses facebook from a public computer.
"If you login on a public terminal and then hit 'logout,' you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser," cubrilovic said.
If this machine data is being used to suggest friends, it can be used for gathering other information about a user as well
Report to Facebook:
Cubrilovic said he had reported the issue to Facebook but received rather a "bounce-around".
Because of the frustrating process, he did not reveal the two XSS holes he found on the website last year.
"The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout,'" he said.
"Logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions," quoting a statement by the Hacker Nik Cubrilovic.
He also noticed that Applications can post status items directly into a user's timeline using the new Programming API without any intervention from the user. This primarily means that you can be sharing items with your friends/wall which you do not intend to share at all.
Cubrilovic mentioned that upon logout all the cookies should be deleted which is presently not happening. He also mentioned the name of two cookies - locale and lu are given new expiry dates, and three more, new cookies (W, fl, L) are set on your Computer upon Logout.
So basically, the primary cookies which identify you as a user are not getting deleted upon logout but only there state is changed. Since the cookies have not been deleted, facebook can easily track the user's activity when he/she visits any website which has the Facebook iframe which is present on all websites which have the facebook Like, Share or other social Plugins. The only option to secure yourself is to delete all the cookies manually.
Cubrilovic also wrote about a very interesting experiment. After logging out of his real account, he created a number of fake accounts on Facebook. After a period of time, these fake accounts presented friendship suggestions with his real account indicating that even after logout from this real account, the data was still being linked out in some manner.
"Somehow Facebook knew that we were all coming from the same browser, even though I had logged out," he said.
Further, there can be multiple issues if one uses facebook from a public computer.
"If you login on a public terminal and then hit 'logout,' you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser," cubrilovic said.
If this machine data is being used to suggest friends, it can be used for gathering other information about a user as well
Report to Facebook:
Cubrilovic said he had reported the issue to Facebook but received rather a "bounce-around".
Because of the frustrating process, he did not reveal the two XSS holes he found on the website last year.
"The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout,'" he said.
Posts
0 comments:
Post a Comment