Nik Cubrilovic, who had exposed how cookies collect data after a session log-out, claims Facebook engineers have assured him that the problem would be fixed
Hacker and blogger Nik Cubrilovic has said that his blog — about how Facebook stored cookie in user computers after they had logged out of the social networking service – has managed to draw attention of the company.
Cubrilovic told The Australian that Facebook engineers have promised to make suitable changes to the sites Web browser cookies and ensure that they no longer collect identifiable information after a user had logged out.
Cubrilovic said he spoke with US-based engineers and communication staff at Facebook during a 40-minute call.
"They aim to fix it (the logout issue) by tomorrow," Cubrilovic said.
"There will still be cookies, but they won’t be identifiable. That’s within 24 hours.
"We can only take them at their word."
Cubrilovic’s blog over stealth Facebook cookies raised privacy concerns about the service.
Cubrilovic had discovered last year that cookies dropped by Facebook during a session, remained and collected data of other Facebook linked websites. He wrote to the social networking site instead of making the matter public. But Cubrilovic’s mails were all ignored, the hacker claims.
Frustration over lack of response made him to post details on his blog.
Cubrilovic wrote on his blog: "To clarify, I first emailed this issue to Facebook on the 14th of November 2010. I also copied the email to their press address to get an official response on it. I never got any response. I sent another email to Facebook, press and copied it to somebody I know at Facebook on the 12th of January 2011. Again, I got no response. I have copies of all the emails, the subject lines were very clear in terms of the importance of this issue."
"I have been sitting on this for almost a year now. The renewed discussion about Facebook and privacy this weekend prompted me to write this post."
"Logging out of Facebook only de-authorises your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com," Cubrilovic said.
"The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
"There is never a clean break between a logged in session and a logged out session."
"This is not what ‘logout’ is supposed to mean – Facebook are only altering the state of the cookies instead of removing all of them when a user logs out. "
Cubrilovic pointed out that such cookies could turn out to be a dangerous thing for social identity thieves.
He said, "There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit ‘logout’, you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy – as the same ID is used to identify your profile."
Cubrilovic added that Facebook knows much more than users are aware of.
"Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to you. The strength of the ‘same machine’ value in the algorithm that works out friends to suggest may be low, but it still happens. This is also easy to test and verify."
He added, "A year ago I was screwing around with multiple Facebook accounts as part of some development work. I created a number of fake Facebook accounts after logging out of my browser. After using the fake accounts for some time, I found that they were suggesting my real account to me as a friend. Somehow Facebook knew that we were all coming from the same browser, even though I had logged out."
Facebook faces criticism over the way it continues to store and access information. Reportedly, a Facebook engineer had refuted charges made by Cubrilovic.
Facebook engineer Gregg Stefancik said, "Our cookies aren’t used for tracking. They just aren’t."
"Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimise performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location)."