Facebook has gone on the defensive and has been forced to apologize after users were left outraged by programming in the social media system that tracked users even after they had logged out.
Facebook has apologized and confirmed that the “bug” has now been fixed.
Hacker Nik Cubrilovic had first spotted the flaw, which keeps Facebook’s cookies active in the browser even after the users had logged out from the site, according to PC Pro. He is reportedly now working with the social network giant to resolve the problem.
Nik Cubrilovic wrote on his blog: “Facebook has made changes to the logout process and it has explained each part of the process and the cookies that the site uses in detail. The data shows that five cookies retained value after the logout procedure and a browser restart, while a further two survive the logout procedure and remain as session cookies.”
The “a_user” cookie, which is the user’s ID, was the most critical retained cookie.
“As of today, this cookie is now destroyed on logout,” he said.
Regarding the remaining active cookies, Facebook told Cubrilovic, “We set the ‘datr’ cookie when a web browser accesses facebook.com, and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.”
Cubrilovic said another “lu” cookie is used to identify users but to pre-fill forms for them, and this remains in place.
“These cookies, by the very purpose they serve, uniquely identify the browser being used - even after logout,” he said. “As a user, you have to take Facebook at its word that the purpose of these cookies is only for what is being described."
Facebook told PC Pro that the tracking cookie which is now supposedly resolved posed no risk to subscribers.
"There was no security or privacy breach - Facebook did not store or use any information it should not have,” the company said.
“Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users' computers inadvertently included unique identifiers when the user had logged out of Facebook," it said.
“We fixed the cookies so that they won't include unique information in the future when people log out."