After an Australian hacker pointed out the issue, Facebook has altered its logout process to address concerns that it can still stalk users after they log out.
Nik Cubrilovic said that Facebook explained its process after he found the social networking giant's cookies - bits of information saved on a user's computer - still lets Facebook keep tabs on users.
"(L)ogging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions," Cubrilovic said in an initial blog post on the matter.
He had also noted that Facebook's new application programming interface (API) allows applications to post status items to one's Facebook timeline without user intervention.
This may raise a privacy concern that "because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see," he said.
But in a subsequent blog entry this week, Cubrilovic said Facebook has made changes to the logout process and explained each part of the process and the cookies that the site uses in detail.
Cubrilovic particularly thanked Gregg Stefancik, an engineer at Facebook who reached out and worked with him on this issue.
Cookie 'destroyed on logout'
He quoted Facebook as saying five cookies retain value after the logout procedure and a browser restart, while a further two survive the logout procedure and remain as session cookies.
The five cookies that persist are datr, lu, p, L and act. The two cookies that also persist after the logout procedure as session cookies are a_user and a_xs. The most important of these is a_user, which is the users ID, he said.
"As of today, this cookie is now destroyed on logout," he said, referring to the users ID.
He also said Facebook will fix another cookie, a_user, which should be cleared upon logout but is not, due to a bug.
The other 'a' cookie, a_xs, is now also deleted on logout. a_xs is used to prevent cross-site request forgery.
On the other hand, the datr cookie is set when a browser first visits facebook.com. It supposedly helps Facebook identify suspicious login activity and keep users safe by flaggin questionable activity like failed login attempts and attempts to create multiple spam accounts.
The lu cookie is also set the first time a browser visits facebook.com and is used to identify the browser pre-fill the users email address in the login form.
It supposedly helps protect people using public computers, and the data it contains is used to make subtle changes to the login form, such as prefilling one's email address and unchecking the “Keep me logged in" option if Facebook detects multiple users signing in with the same browser.
"These cookies, by the very purpose they serve, uniquely identify the browser being used - even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described. The previous a_user cookie that was fixed identified your user account and has been fixed, these cookies identify the browser and are not re-associated with your logged in account," Cubrilovic said.
In his earlier post, Cubrilovic had noted that during logout, a number of Facebook cookies are not being deleted.
He said the cookies locale and lu are given new expiry dates, and three new cookies (W, fl, L) are set.
When he made a subsequent request to www.facebook.com as a "logged out" user, he said the primary cookies that identify him as a user are still there.
"This is not what 'logout' is supposed to mean - Facebook (is) only altering the state of the cookies instead of removing all of them when a user logs out," he said.
Such a setup allows a supposedly logged-out user to still send his or her account ID to Facebook when he or she visits any page with a Facebook "Like" button, or share button, or any other widget.
"The only solution to Facebook not knowing who you are is to delete all Facebook cookies," he said.
Facebook doing what it can, but...
But Cubrilovic said that while Facebook has "changed as much as they can change," he would still recommend that users clear cookies or use a separate browser.
"Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe," he said.
He also said he discovered many other issues and interesting areas ripe for further investigation while researching the cookie logout issue.
But he said he will take each one of them in the near future.
No information used to target ads
A separate article on the Wall Street Journal quoted a Facebook spokesman as maintaining that “no information we receive when you see a social plugin is used to target ads."
Arturo Bejar, a Facebook director of engineering, added Facebook is looking at ways to avoid sending the data altogether but that it will “take a while."
On the other hand, the WSJ quoted Facebook as saying some of the cookies identified by Cubrilovic are not logged by the system.
However, it quoted Facebook as saying one cookie is stored and is used to detect suspicious logins, and is deleted after 90 days. — TJD, GMA News