Hacker News new | comments | show | ask | jobs | submit login

not that I want to turn this into a pissing contest, but I emailed this to them on the 14th of November 2010. I emailed them again on the 12th of January this year. I have been sitting on it for that long.

I updated my post to make that clear, that this is an issue that is almost a year old.

You are not going to hear back from Facebook because they will not believe this is an "issue".

Precisely - this is a design feature, working as intended.

Normally the security@ team is very responsive, and not that hard to find:


As for your specific claim about cookies, there is a little checkbox labeled "Keep me logged in" or "Remember me" on the login page. If you don't trust the terminal, don't check that box. Leaving it unchecked will set the personally identifiable cookies to expire at the end of your browser session.

This is the same advice given for any website about unsafe terminals, and anyone who has 15 years of security industry experience would be aware of cookie expiration. What exactly are you claiming here?

He's talking about after having clicked "log out". I don't think the "keep me logged in" button factors in here (though I could be wrong).

this has nothing to do with 'keep me logged in' and as I mentioned in the post I contacted a number of facebook contracts a number of times (including the standard security report track) and never heard back

Fair enough. I will follow up. FWIW, the act cookie is always set to session only.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact