Facebook Cookie Tracks Users Even When They're Logged Out

It's no secret that Facebook and privacy have had some issues. Take today, for example. Thanks to a modified cookie, Facebook knows where you are online -- even when you're not logged into Facebook.

So says hacker Nik Cubrilovic anyway, after he discovered during a series of tests that Facebook alters its tracking cookie code the moment you log out, instead of deleting them. Then, when a user being tracked in this manner heads to a website that contains a Facebook button or widget, the browser continues to send "personally identifiable information" back to Facebook.

"With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook," Cubrilovic wrote in a blog post describing the find today.

For the pissed off amongst you, VentureBeat provides this HackerNews tip:

To block Facebook from following you, you need to delete all Facebook-related cookies after logging out. You may also be able to use AdBlock Plus to block Facebook, with the following rules, as reported on Hacker News:

facebook.com^$domain=~facebook.com ~facebook.net|~fbcdn.com|~fbcdn.net facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

Next week: Facebook is totally creeping your bedroom window! [via VentureBeat]



    The fact that someone had to write a hack to disable a bloody cookie, should give pause to anybody using 'FB' I ditched the the thing ages ago, and now, if anybody needs a wake up call to get rid of it, this is it! #[

      I saw


      and I thought that was quite clever.

        For some reason I don't think that was intentional.

    What about if you disabled the social plugin platform in the settings? I reckon it should helps

    This is surprising to people?

    Check Google, Amazon and eBay. None of them delete your cookies when you log out. They ALL use them so they can track your browser, enabling them to target ads to you.

    I understand people are wary of Facebook, but come on - all sites have done this ever since cookies were invented.

    I do not know a lot about cookies. Can you let me know if these cookies are sending information to Facebook and are the receiving it? Does having a cookie mean data is always being accessed and sent off the local device?

    As for the ticker and frictionless sharing the blogger has and issue with; don't forget that the user needs to use, and approve, an app to access all that information. It is not automatic! Approval is needed for every news house, music service, running app, etc.

      If you go to a site and it sets a cookie, your browser will send that cookie back to the site every time you visit.

      Only the creating site can "read" the cookie, but the point is that the prominence of Facebook Like buttons means Facebook can read the cookie frequently -- even when you're not logged in.

    Didn't Firefox once provide the ability to clear all private data upon exiting, such as password, cookies etc? I guess that wouldn't help though if you log out then continue to browse as the cookies won't be deleted until after you've closed the browser.

    This is an area that's in desperate need of some sort of regulation. As it currently stands the companies behind these websites are so far out in front of legislation that they're able to do what they want without repercussion. It's utter madness.

    For Chrome, there is a add-on called 'Diconnect'.
    It will block tracking by the usual suspects including FB and Google. (Right now it is blocking one request from FB on THIS page.) It will actually speed up page loads in some cases.

    For IE9, use tracking protection lists. Available here..
    just click the 'add' button.

    For Firefox, use Adblock and include a tracking protection filter. (Also available for Chrome).

    It is a legal requirement that all browsers have a way to block tracking. This was introduced several months ago.

    I'm just going to roll over and take this. Big deal.

    92 Facebook people have "liked" this. ?

    Isn't it appalling when the free service that you are in no way obliged to use keeps using standard industry marketing tactics purely guided by the profit motive to ultimately allow the service to be free in the first place! I swear if Facebook keeps this up, along with the new changes to the layout and all the other minor inconveniences, I am outta there!

    The difference between this, and
    normal cookie tracking, is that this
    is liked to your actual facebook account
    and as such is persistent across all browsers
    on which you were the last to log in to facebook. unlike most tracking, it will survive the deleting of cookies.

    Just use (in)private browsing through IE/Firefox, problem solved.

Join the discussion!

Trending Stories Right Now