Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Facebook is scaring me
#2

Logging out of Facebook is not enough

25th September 2011#Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests tofacebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Here is what is happening, as viewed by the HTTP headers on requests to facebook.com. First, a normal request to the web interface as a logged in user sends the following cookies:
Note: I have both fudged the values of each cookie and added line wraps for legibility

Cookie:datr=tdnZTOt21HOTpRkRzS-6tjKP; lu=ggIZeheqTLbjoZ5Wgg; openid_p=101045999; c_user=500011111; sct=1316000000; xs=2%3A99105e8977f92ec58696cf73dd4a32f7; act=1311234574586%2F0The request to the logout function will then see this response from the server, which is attempting to unset the following cookies:

Set-Cookie:_e_fUJO_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyc_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyfl=1; path=/; domain=.facebook.com; httponlyL=2; path=/; domain=.facebook.com; httponlylocale=en_US; expires=Sun, 02-Oct-2011 07:52:33 GMT; path=/; domain=.facebook.comlu=ggIZeheqTLbjoZ5Wgg; expires=Tue, 24-Sep-2013 07:52:33 GMT; path=/; domain=.facebook.com; httponlys=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlysct=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyW=1316000000; path=/; domain=.facebook.comxs=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyTo make it easier to see the cookies being unset, the names are in italics. If you compare the cookies that have been set in a logged in request, and compare them to the cookies that are being unset in the logout request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set.
Now I make a subsequent request to facebook.com as a 'logged out' user:

Cookie:datr=tdnZTOt21HOTpRkRzS-6tjKP; openid_p=101045999; act=1311234574586%2F0; L=2; locale=en_US; lu=ggIZeheqTLbjoZ5Wgg; lsd=IkRq1; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0baaaaa32f88152%26eu%3DJhvyCGewZ3n_VN7xw1BvUw; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0b1aaaaa152%26eu%3DJhvyCGewZ3n_VN7xw1BvUwThe primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user
This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.
With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies.
You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.

An Experiment

This brings me back to a story that I have yet to tell. A year ago I was screwing around with multiple Facebook accounts as part of some development work. I created a number of fake Facebook accounts after logging out of my browser. After using the fake accounts for some time, I found that they were suggesting my real account to me as a friend. Somehow Facebook knew that we were all coming from the same browser, even though I had logged out.
There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy - as the same ID is used to identify your profile.
Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to you. The strength of the 'same machine' value in the algorithm that works out friends to suggest may be low, but it still happens. This is also easy to test and verify.
I reported this issue to Facebook in a detailed email and got the bounce around. I emailed somebody I knew at the company and forwarded the request to them. I never got a response. The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year. They really need to get their shit together on reporting privacy issues, I am sure they take security issues a lot more seriously.

The Rise of Privacy Awareness

10-15 years ago when I first got into the security industry the awareness of security issues amongst users, developers and systems administrators was low. Microsoft Windows and IIS were swiss cheese in terms of security vulnerabilities. You could manually send malformed payloads to IIS 4.0 and have it crash with a stack or heap overflow, which would usually lead to a remote vulnerability.
A decade ago the entire software industry went through a reformation on awareness of security principals in administration and development. Microsoft re-trained all of their developers on buffer overflows, string formatting bugs, off-by-one bugs etc. and audited their entire code base. A number of high-profile security incidents raised awareness, and today vendors have proper security procedures, from reporting new bugs to hotfixes and secure programming principals (this wasn't just a Microsoft issue - but I had the most experience with them).
Privacy today feels like what security did 10-15 years ago - there is an awareness of the issues steadily building and blog posts from prominent technologists is helping to steamroll public consciousness. The risks around privacy today are just as serious as security leaks were then - except that there is an order of magnitude more users online and a lot more private data being shared on the web.
Facebook are front-and-center in the new privacy debate just as Microsoft were with security issues a decade ago. The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout'.

Update: Contact with Facebook

To clarify, I first emailed this issue to Facebook on the 14th of November 2010. I also copied the email to their press address to get an official response on it. I never got any response. I sent another email to Facebook, press and copied it to somebody I know at Facebook on the 12th of January 2011. Again, I got no response. I have copies of all the emails, the subject lines were very clear in terms of the importance of this issue.
I have been sitting on this for almost a year now. The renewed discussion about Facebook and privacy this weekend prompted me to write this post.
http://nikcub-static.appspot.com/logging...not-enough
"The philosophers have only interpreted the world, in various ways. The point, however, is to change it." Karl Marx

"He would, wouldn't he?" Mandy Rice-Davies. When asked in court whether she knew that Lord Astor had denied having sex with her.

“I think it would be a good idea” Ghandi, when asked about Western Civilisation.
Reply


Messages In This Thread
Facebook is scaring me - by Ed Jewett - 26-09-2011, 06:15 AM
Facebook is scaring me - by Magda Hassan - 26-09-2011, 06:47 AM
Facebook is scaring me - by Peter Lemkin - 26-09-2011, 07:39 AM
Facebook is scaring me - by Ed Jewett - 26-09-2011, 07:49 AM
Facebook is scaring me - by Peter Lemkin - 26-09-2011, 09:16 AM
Facebook is scaring me - by Jan Klimkowski - 26-09-2011, 09:34 PM
Facebook is scaring me - by Greg Burnham - 27-09-2011, 12:17 AM
Facebook is scaring me - by Peter Lemkin - 27-09-2011, 09:47 AM
Facebook is scaring me - by Ed Jewett - 29-09-2011, 03:42 AM
Facebook is scaring me - by Dawn Meredith - 05-10-2011, 03:31 PM
Facebook is scaring me - by Magda Hassan - 05-10-2011, 03:52 PM
Facebook is scaring me - by Ed Jewett - 05-10-2011, 10:32 PM
Facebook is scaring me - by Ed Jewett - 06-10-2011, 01:48 AM
Facebook is scaring me - by Ed Jewett - 06-10-2011, 01:51 AM
Facebook is scaring me - by Peter Lemkin - 06-10-2011, 08:04 AM
Facebook is scaring me - by Magda Hassan - 06-10-2011, 10:32 AM
Facebook is scaring me - by Ed Jewett - 06-10-2011, 11:36 AM
Facebook is scaring me - by Ed Jewett - 08-10-2011, 06:47 AM
Facebook is scaring me - by Albert Doyle - 09-10-2011, 04:26 PM
Facebook is scaring me - by Magda Hassan - 11-10-2011, 10:29 AM
Facebook is scaring me - by Carsten Wiethoff - 12-10-2011, 07:25 AM
Facebook is scaring me - by Ed Jewett - 13-10-2011, 07:58 PM
Facebook is scaring me - by Ed Jewett - 17-10-2011, 04:59 PM
Facebook is scaring me - by Magda Hassan - 18-10-2011, 12:58 AM
Facebook is scaring me - by Ed Jewett - 18-10-2011, 02:23 AM
Facebook is scaring me - by Ed Jewett - 20-10-2011, 09:43 PM
Facebook is scaring me - by Ed Jewett - 29-10-2011, 02:27 AM
Facebook is scaring me - by Keith Millea - 03-11-2011, 04:59 PM
Facebook is scaring me - by Keith Millea - 04-11-2011, 05:40 PM
Facebook is scaring me - by Albert Doyle - 04-11-2011, 09:08 PM
Facebook is scaring me - by Bernice Moore - 06-11-2011, 03:10 PM
Facebook is scaring me - by Albert Doyle - 06-11-2011, 03:43 PM
Facebook is scaring me - by Bernice Moore - 07-11-2011, 04:06 AM
Facebook is scaring me - by Carsten Wiethoff - 09-11-2011, 02:30 PM
Facebook is scaring me - by Peter Lemkin - 19-11-2011, 04:40 PM
Facebook is scaring me - by Ed Jewett - 20-11-2011, 07:10 PM
Facebook is scaring me - by Peter Lemkin - 27-01-2012, 06:28 PM
Facebook is scaring me - by Peter Lemkin - 07-02-2012, 10:57 AM
Facebook is scaring me - by Keith Millea - 07-02-2012, 05:59 PM
Facebook is scaring me - by Peter Lemkin - 07-02-2012, 06:33 PM
Facebook is scaring me - by Magda Hassan - 12-02-2012, 12:24 PM
Facebook is scaring me - by Magda Hassan - 12-02-2012, 12:26 PM
Facebook is scaring me - by Peter Lemkin - 26-02-2012, 09:21 PM
Facebook is scaring me - by Greg Burnham - 16-09-2012, 12:36 AM
Facebook is scaring me - by Dawn Meredith - 17-09-2012, 03:13 PM
Facebook is scaring me - by Greg Burnham - 17-09-2012, 04:35 PM
Facebook is scaring me - by Keith Millea - 17-09-2012, 05:52 PM
Facebook is scaring me - by Phil Dragoo - 17-09-2012, 11:33 PM
Facebook is scaring me - by Keith Millea - 17-09-2012, 11:58 PM
Facebook is scaring me - by Greg Burnham - 18-09-2012, 12:00 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Facebook's CIA Study: Massive-Scale Emotional Contagion Through Social Netw David Guyatt 0 6,926 29-10-2016, 08:36 AM
Last Post: David Guyatt
  Facebook experiment to manipulate human behaviour and emotions David Guyatt 3 6,241 10-07-2014, 02:57 PM
Last Post: Magda Hassan
  Facebook account apparently frozen for Chemtrails picture David Guyatt 7 6,205 17-02-2014, 03:16 AM
Last Post: Lauren Johnson
  Facebook: ‘Dark Profiles’ Ed Jewett 0 2,549 06-08-2012, 07:51 PM
Last Post: Ed Jewett
  Facebook has saved the CIA millions of dollars; Bernice Moore 0 2,764 02-04-2011, 03:09 AM
Last Post: Bernice Moore
  U.S. Defense Department to do battle with social media/DARPA Looking for Facebook Warriors 0 426 Less than 1 minute ago
Last Post:

Forum Jump:


Users browsing this thread: 1 Guest(s)