Facebook allegedly promises to fix logout cookies issue

The Facebook tracking cookies issue revealed yesterday has, expectedly, created quite a stir in the security community.

The company went into damage control mode and repeated the claims made by one of its engineers: “Facebook does not track users across the web.”

“Instead, we use cookies on social plugins to personalize content (e.g. show you what your friends liked), to help maintain and improve what we do (e.g. measure click-through rate), or for safety and security (e.g. keeping underage kids from trying to signup with a different age). No information we receive when you see a social plugins is used to target ads, we delete or anonymize this information within 90 days, and we never sell your information.”

“Specific to logged out cookies, they are used for safety and protection, including identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of ‘keep me logged in’.”

On the other hand, The Australian reports that Nik Cubrilovic – the blogger that wrote about his discovery and brought the issue to the public’s attention – claims that has been contacted by the company and promised that it will fix the issue.

He says that the 40 minute long conference call with Facebook engineers resulted in the promise that logout cookies will no longer collect identifiable information about users after they have logged out of the social network, and that the change will be rolled out tomorrow.

In order to illustrate his original claim, Cubrilovic published a table that shows in detail which cookies are delete or modified after the log out, and which are retained even after the browser is restarted.

He concedes that Facebook might not be using the collected information now, but points out that maybe in a few years’ time they might want to introduce a new feature that will access it and use it.

UPDATE:That was fast! According to Cubrilovic, the issue has already been fixed – the offending “a_user” cookie (containing the user’s ID) is now destroyed on logout. Facebook claims that its persistence after logout was due to a bug, which has been fixed.

As far as the rest of the persistent cookies are concerned, he says that Facebook has changed as much as they can change with the logout issue.

“They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.”