

Facebook fixes logout issue - nikcub
http://nikcub.appspot.com/facebook-fixes-logout-issue-explains-cookies?re=1

======
RexRollman
As anyone who frequents HN would notice, I do not care for Facebook. I don't
like it as a company and I do not care for its founder. But with that said, I
am glad to see that Facebook addressed this issue.

And thanks to Nik for bringing this to the light.

~~~
code_duck
Facebook created this issue... now we're supposed to thank them for addressing
it after it was revealed in public?

~~~
RexRollman
I am willing to thank someone who listens and then fixes something. To do
otherwise is just rude.

~~~
code_duck
Really, so if someone stabs you in the arm on purpose, and then bandages it up
only after you alert the public, you'd thank them?

------
mingyeow
"There is a bug where a_user was not cleared on logout. We will be fixing that
today."

PR speak. This seems much less like a bug to me, more like a poorly
contemplated decision.

What seems more likely is that they were contemplating what they should do,
and given the general direction Facebook is headed, they probably thought
little of just leaving it in.

I love the facebook guys, but calling it a bug as opposed to a non-malicious
decision is just PR speak

~~~
yuliyp
The fact that it could be removed overnight should give you a hint about how
much it was actually used.

------
y0ghur7_xxx
They don't need the cookie to track you anyway. Cookie-less tracking is no
problem. Not deleting the cookie was making the tracking just a little bit
easier, but I am sure they track users anyway, as long as they download the
like widgets that webmasters put on their pages.

~~~
lbrandy
> I am sure they track users anyway

Just so we are clear: we don't cookieless "track users anyway".

I suppose you guys can line up to say I'm lying like you did to the other
engineers who posted yesterday, and it is quite obviously impossible for me to
prove otherwise. But suffice to say our policies are rather clear on the
issue.

~~~
y0ghur7_xxx
So you don't track users with the "like" widgets? Even when they don't click
on them? That would contraddict everything I read from FB until now.

> I suppose you guys can line up to say I'm lying

I never sad you lied. I just sad what you explicitly state on your privacy
policy:

"We receive data whenever you visit a game, application, or website that uses
Facebook Platform or visit a site with a Facebook feature (such as a social
plugin). This may include the date and time you visit the site; the web
address, or URL, you're on; technical information about the IP address,
browser and the operating system you use; and, if you are logged in to
Facebook, your User ID."

<http://www.facebook.com/about/privacy/your-info#inforeceived>

If that's not "tracking" I don't know what is...

~~~
lbrandy
> This may include the date and time you visit the site; the web address, or
> URL, you're on; technical information about the IP address, browser and the
> operating system you use; and, if you are logged in to Facebook, your User
> ID."

With the exception the the UserID for logged in users, all of this data is
standard stuff that every browser sends to every server of any site on every
request.

> If that's not "tracking" I don't know what is...

If basic http header stuff is "tracking" to you, then every site on the
internet is tracking you.

~~~
y0ghur7_xxx
> all of this data is standard stuff that every browser

> sends to every server of any site on every request.

Come on lbrandy, let's be honest. Are you telling me and to the HN audience
that you don't use the data "that every browser sends to every server",
analyze it, try to get unique users out of it, try to gather interest,
browsing behavior, a lot of other stuff and sell it to advertisers? Because
that would contradict what you state in your privacy policy.

>> If that's not "tracking" I don't know what is...

> I believe the word I'd use is "http".

http is the protocol you gather the data with. Once you got it, you gather
your stats from it. And thus track users with it. And you state so explicitly
in your privacy policy. And there is IMHO nothing wrong with it. I adblock it
anyway.

~~~
lbrandy
> Are you telling me and to the HN audience that you don't use the data "that
> every browser sends to every server", analyze it, try to get unique users
> out of it, try to gather interest, browsing behavior, a lot of other stuff
> and sell it to advertisers?

That's pretty much the definition of "cookieless tracking", isn't it? Feel
free to read my original post.

This is spelled out quite clearly here:
<https://www.facebook.com/help/?faq=186325668085084>

~~~
y0ghur7_xxx
> That's pretty much the definition of "cookieless tracking", isn't it?

Yes, it is.

"We will keep aggregated and anonymized data (not associated with specific
users) [...]"

Ok. So you _partially_ confirm my point. You DO track users. But you say you
don't keep the information associated with "y0ghur7_xxx", but with
user_id:389472984. At least on the FAQ. The privacy policy is not so clear.

~~~
indigoviolet
user_id:389472984 isn't anonymized. Aggregated and anonymized data means,
"gender:male ages:18-34"

------
mjs
"The other 'a' cookie, a_xs, is now also deleted on logout. a_xs is used to
prevent cross-site request forgery."

Does anyone know how this cookie is used to prevent CSRF?

~~~
epochwolf
Rails matches a session csrf token against form data to detect if someone is
trying to submit a form without a proper token. This session data is stored in
a cookie by default.

This functionality is referenced in the security guide.

[http://guides.rubyonrails.org/security.html#csrf-
countermeas...](http://guides.rubyonrails.org/security.html#csrf-
countermeasures)

~~~
mjs
From my reading of that link, in Rails it's not the CSRF token itself that's
stored in the cookie, it's the secret used to verify the token. If Facebook is
doing the same thing, there would be no need to store the secret after the
user has logged out--just generate another secret the next time they log in.

~~~
epochwolf
The login form still requires a secret as does any other links that have side
effects. I would imagine the like buttons require them to work properly.

------
code_duck
So, do the remaining cookies truly not contain data which can identify a
specific user to Facebook?

~~~
sp332
You can use this page to see how "unique" your browser is.
<https://panopticlick.eff.org/> It doesn't use cookies.

~~~
cousin_it
Most interesting link I've seen today, thanks!

So as long as you log in to Facebook often enough (more often than you install
new browser plugins or fonts or whatever), they can cookieless-track you
perfectly when you're logged out, by remembering the browser fingerprint you
had when you were logged in. And even if the fingerprint changes a little bit,
they could use something like Levenshtein distance, combined with statistics
of frequently visited sites, to have a good chance of identifying you anyway.
In the hypothetical world where Facebook was an evil monster of surveillance,
of course. I'm not talking about the real world here ;-)

So what can you do when faced by a hypothetical monster like that? Disabling
third-party cookies is only the first step. Is there any reasonable way to
anonymize your browser fingerprint?

~~~
MartinCron
_Is there any reasonable way to anonymize your browser fingerprint?_

Maybe not totally anonymize, but a lot of the data that gets used for browser
fingerprinting relies on flash to work, so if you run without flash on by
default (click to flash, or whatever) that should help.

------
Slimy
A Facebook engineer has made a statement saying there was not tracking
involved in the "Update" section of this article:
[http://www.zdnet.com/blog/facebook/facebook-fixes-cookie-
beh...](http://www.zdnet.com/blog/facebook/facebook-fixes-cookie-behavior-
after-logging-out/4120)

------
newchimedes
Wasn't there a FB engineer yesterday who said that this "problem" would take a
long time to fix? Apparently it didn't take that long.

~~~
newchimedes
Here's the article I mentioned:
[http://blogs.wsj.com/digits/2011/09/26/facebook-defends-
gett...](http://blogs.wsj.com/digits/2011/09/26/facebook-defends-getting-data-
from-logged-out-users/)

------
shithead
Q. How do you know that Mark Zuckerberg is lying?

A. His lips are moving.

------
altrego99
> There is a bug where a_user was not cleared on logout.

Yeah, right! Sure it was a bug.

