Facebook has fixed an issue that it admitted could have allowed users to be identified and tracked after they had logged out of the social network, via their cookies.

Cookies are bits of code that websites leave on a user’s system in order to customise the user’s experience. On Monday Australian researcher Nik Cubrilovic reported that three Facebook cookies remaining on a user’s system following logout could be used to identify a user and link back to his or her Facebook account.

Personal data

The problem has now been fixed, according to Facebook, which said the issue had been caused “inadvertently”.

The cookies involved included a_user, which is the user’s Facebook ID. Facebook said this cookie is now destroyed when the user logs out.

“When Nik provided us with the additional information that allowed is to identify these three cookies, we moved quickly to fix the cookies so that they won’t include unique information in the future when people log out,” Facebook said in a statement.

The company acknowledged that users’ principal privacy fear is that Facebook itself might misuse such information to track users’ activities elsewhere on the Internet. The company argued that because this was not the case, no security or privacy breach had in effect taken place.

“Facebook did not store or use any information it should not have,” the company stated. “We did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose.”

However, the company acknowledged that the cookies included “unique identifiers” that could have been misused by third parties. In response Facebook said it had taken measures to fix the issue.

However, Cubrilovic advised users not to place their faith entirely in Facebook.

“I would still recommend that users clear cookies or use a separate browser,” he said in a Wednesday blog post. “I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues.”

Widespread issue

Sophos researcher Paul Ducklin argued that long-lived cookies of the type identified by Cubrilovic are common.

“If you’re worried about this sort of thing, routinely delete all cookies from your browser. This means that you dispose of all your no-longer-anonymous cookies,” he wrote in a blog post. “Your favourite websites will no longer have cookie-based history about you, so you’ll get newly-generated anonymous cookies next time you visit each of those sites. Most browsers – Firefox, Chrome, Opera and Internet Explorer, for instance – have an ‘automatically delete cookies on exit’ option. I recommend using it: you don’t have to keep remembering to delete old cookies by hand.”

Sophos earlier this year took Facebook to task over its privacy issues, outlining specific steps the company needed to take to improve security.

Earlier this month Lord Richard Allan, Facebook’s head of European public policy, admitted that the threat of account hacking to scam users out of money has become a “major issue” for the social network.

New cookie regulations

In May legal changes came into effect on the way companies may use cookies, deriving from an amendment to the EU’s Privacy and Electronic Communications Directive, which require companies to get permission from users before tracking their activities with cookies. Previously companies only needed to inform users they were using cookies, and provide information on how they could opt out.

The Information Commissioner’s Office (ICO) has said it is planning to bring in enforcement of the new rules in phases, and does not expect companies to immediately achieve perfect compliance. At the same time, companies must be seen to be making an effort to work out how they will deal with the new law, the ICO said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

Recent Posts

Huawei Asks Judge To Dismiss Charges In US Federal Case

Huawei asks judge to dismiss many charges in US controversial federal case that dates back…

13 hours ago

Japan To Invest $65bn In Chip Industry

Japan announces $65bn in subsidies and other incentives to boost production of advanced chips and…

14 hours ago

FTX Sues Binance Over Alleged $1.8bn Fraud

Bankrupt FTX sues former rival Binance for allegedly fraudulent transfer of $1.8bn weeks before crypto…

14 hours ago

Amazon Developing Smart Glasses For Delivery Drivers

Amazon reportedly developing smart glasses to provide delivery drivers with step-by-step instructions for last mile…

15 hours ago

Australian States Support Social Media Ban For Under-16s

Australian states and territories unanimously support social media ban for youths under 16, amidst growing…

15 hours ago

US Orders TSMC To Halt AI Chip Sales To China

US Commerce Department orders Taiwan's TSMC to halt sales of advanced AI accelerators to mainland…

16 hours ago