Hacker: Logging Out Of Facebook Is Not Enough

By Carlton Purvis

Cubrilovic’s first comment after posting the blog came from a user named Gregg Stefancik who identified himself as an engineer who works on Facebook’s login systems.

“We haven’t done as good as job as we could have to explain our cookie practices,” but Facebook is not interested in tracking users outside of Facebook, he said. Stefancik says the cookies are used to help provide users with custom content and security.

The altered-but-not-deleted cookies are used to identify spammers, identify shared computers, help people recover hacked accounts, and power security features like login approvals and notifications, he said.

“We also maintain a cookie association between accounts and browsers….However, contrary to your article, we do delete account-specific cookies when a user logs out of Facebook,” he says.

But what about the psychic friend suggestions on Facebook--a phenomena experienced by a number of Facebook users? Take a look at the confusion on this thread.

“We don’t, and never have, used cookies to suggest friends. If you send us the user IDs of the test accounts you created, I’m happy to investigate further,” Stefancik says. Stefancik then suggests Cubrilovic submit his information to Facebook’s bug bounty program.

So Facebook does keep cookies when you log out, but their purpose is for enhanced security, and all account-related cookies are deleted. Interesting response, but for the people who have actually experienced Facebook’s psychic powers, it may take a little more convincing.

“I have no reason to believe you do anything but your job, but the answers leave gaps wide enough to drive a truck through. So I'm not buying it. For me, FB is the 2nd biggest security and privacy risk for an Internet user,” an anonymous commenter replied to Stefancik.


photo by GOIABA/flickr

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.