Hacker: Logging Out Of Facebook Is Not Enough

By Carlton Purvis

It’s pretty amazing how Facebook can suggest friends for you based on the most ephemeral of connections. Or how about when you log in and see ads for services you were just searching for on Google? Or what about when Facebook synced all of your cell phone contacts to the site without you realizing you’d allowed it? What about the new API that allows apps to post items on your timeline without you even doing anything. Not to mention the frequent design changes that put your privacy settings under different menus and submenus.

Maybe you’re thinking “Well maybe if I just log out of Facebook....” 


Logging out is not enough says self-professed hacker, entrepreneur, and writer Nik Cubrilovic.

“…Logging out of Facebook only deauthorizes your browser from the web application; a number of cookies (including your account number) are still sent along to all requests to Even if you are logged out, Facebook still knows and can track every page you visit,” he wrote in a blog post Sunday.

Yes. Even when you’re logged out.

In a series of browser cookie diagrams--cookies that most of us probably rarely examine with scrutiny--Cubrilovic shows that not all of those cookies are deleted when you log out.

“The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user…Facebook are only altering the state of the cookies instead of removing all of them when a user logs out,” he writes.

Basically, visiting any site that integrates Facebook, meaning any site with a “suggest to friends” or a “like” or “share” button, even while logged out, your information, including account ID, is still being sent to Facebook.

He goes on to explain an experiment he conducted using multiple Facebook accounts from the same browser. Each time he logged out, the fake accounts would still receive suggestions to friend his primary account. Somehow Facebook knew that the accounts were all coming from the same browser.

“There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy--as the same ID is used to identify your profile,” he wrote.

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.