Thread: Facebook Tracking You Even When You are Logged Off

Dave Winer, on the 24th of this month, wrote how Facebook's new API allows applications to post items as status updates without the users permission/intervention. This is scary. The solution he offered is to log out.

Now, even that is not enough. Nik Cubrilovic, a Wollongong technologist, has discovered Facebook's hidden malpractices. When you log out of Facebook, it is supposed to delete its cookies from your browser cache. However, Facebook does NOT do that. It merely modifies the cookies so that your browser continues to send all your browsing information back to Facebook.

Here's an extract of the discovery from Nik's official blog that has caused worldwide shock.

The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

Here is what is happening, as viewed by the HTTP headers on requests to facebook.com. First, a normal request to the web interface as a logged in user sends the following cookies:

Note: I have both fudged the values of each cookie and added line wraps for legibility

Cookie:
datr=tdnZTOt21HOTpRkRzS-6tjKP;
lu=ggIZeheqTLbjoZ5Wgg;
openid_p=101045999;
c_user=500011111;
sct=1316000000;
xs=2%3A99105e8977f92ec58696cf73dd4a32f7;
act=1311234574586%2F0

The request to the logout function will then see this response from the server, which is attempting to unset the following cookies:

Set-Cookie:
_e_fUJO_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
c_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
fl=1; path=/; domain=.facebook.com; httponly
L=2; path=/; domain=.facebook.com; httponly
locale=en_US; expires=Sun, 02-Oct-2011 07:52:33 GMT; path=/; domain=.facebook.com
lu=ggIZeheqTLbjoZ5Wgg; expires=Tue, 24-Sep-2013 07:52:33 GMT; path=/; domain=.facebook.com; httponly
s=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
sct=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
W=1316000000; path=/; domain=.facebook.com
xs=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

To make it easier to see the cookies being unset, the names are in italics. If you compare the cookies that have been set in a logged in request, and compare them to the cookies that are being unset in the logout request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set.

Now I make a subsequent request to facebook.com as a 'logged out' user:

Cookie:
datr=tdnZTOt21HOTpRkRzS-6tjKP;
openid_p=101045999;
act=1311234574586%2F0;
L=2;
locale=en_US;
lu=ggIZeheqTLbjoZ5Wgg;
lsd=IkRq1;
reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3D bf0ed2e54fbcad0baaaaa32f88152%26eu%3DJhvyCGewZ3n_V N7xw1BvUw;
reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3D bf0ed2e54fbcad0b1aaaaa152%26eu%3DJhvyCGewZ3n_VN7xw 1BvUw

The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user

This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.

With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies.

You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.

- Nik Cubrilovic

this is not the 1st time i heard of such a thing. Well let's hope it is all a legend

i dont know either believe it or not...............

well it is possible if the cache in the browser still stays active

Well, actually everything is now made for reducing anonymity

It seems that the security and integrity of Facebook is compromised; I hope they can do something about this..

I thought they fixed this now at least that is what I read recently. I am sure there will be something in the near future. I seems like someone finds something with Facebook every few months. Makes you wonder about all the other websites out there though.

this is new to me and I'm not really believing it right now. if something like this done by facebook for real it will be very sad...

I had read this and its really disturbing. I had seen some blogs that has FB integration and I can see my profile in their comment section even if I was logged out of FB. From then on, I always delete my cache before logging off my browser.

Delete your Facebook account, choose Twitter and live free.

This is a scary thing. I've also noticed that Facebook has become smarter. I don't put in those information, but I find them in my profile. Must be their algorithm.

not surprising but at the same time they knew someone would find out so why even do it? i think the answer might be that facebook knows people won't leave, no matter how they're affecting people's security or privacy.