Facebook: Cookie tracking issue is limited, fix coming today

Facebook: Cookie tracking issue is limited, fix coming today

Summary: Facebook has confirmed a tracking cookie bug and said it will fix it today. The company has also explained that the issue is limited in scope – only some third-party websites are affected.

SHARE:
7

Soon after self-proclaimed hacker Nik Cubrilovic discovered Facebook is once again setting its datr cookie via the Like button and other social plugins, the company has made an attempt to clarify the findings. Facebook has confirmed this is indeed a bug, but says that it is limited in scope and that it will be fixed today.

The cookie in question can be set even if the user has never been to Facebook, and even if he or she doesn't click on a given Facebook widget. It can be read later to track a user across different Web properties and back to the Facebook site. Cubrilovic said it is reportedly the first cookie set on all third-party websites with a Facebook social plugin, and for all users of the social network – whether you are logged in or logged out.

I contacted Facebook and a spokesperson pointed me to a comment made to Cubrilovic by Facebook engineer Gregg Stefancik:

I am a engineer at Facebook who works on Facebook's login systems. Thanks for raising this issue. We still have a policy of not building profiles based on data from logged out users. Reports like this help us make sure we're adhering to that policy which has not changed. As we discussed last week, we are examining our cookie setting behavior to make sure we do not inadvertently receive data that could be associated with a specific person not logged into Facebook.

We have been made aware of 2 instances in the past 2 weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports. We have moved quickly to investigate and resolve this latest issue which will be fully addressed today. We encourage security researchers to test our practices and report them to us through our whitehat program which rewards people like you who identify issues.

I also asked for further clarification on how many third-party websites have this issue and why not all websites are affected. "Sites that called our API in a non-standard way, one in which we had not considered to protect against cookie-setting for non-users, were impacted by this bug," a Facebook spokesperson said in a statement.

It looks like another mystery has been solved, although something tells me this story is not over. Going forward, Facebook is going to face much closer scrutiny related to its cookies and user tracking than it ever has before.

Part of this will come from legal bodies. 10 privacy groups and US congressmen last week sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Furthermore, Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected. Facebook has even had to defend itself in regards to a recent patent it filed, arguing that the document does not describe how to track logged-out users.

See also:

Topic: Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • RE: Facebook: Cookie tracking issue is limited, fix coming today

    MR Zuckerberg im here to return the favour and insert a cookie in your asshole on november 5
    newbedave
  • RE: Facebook: Cookie tracking issue is limited, fix coming today

    Facebook will always "claim" to fix these problems but will just end up using different ways to collect this data.

    I'm sure they'll merge a few cookies next and the result is the tracking data will be folded into the cookies they use "for security and anti-spam" purposes
    ZazieLavender
  • RE: Facebook: Cookie tracking issue is limited, fix coming today

    Now I want to hear the same guys that cried when Google invaded their mysterious privacy with Google Street Cars tracking SSIDs to cry for Facebook smelling right into their a-ss.
    nanomartin
  • RE: Facebook: Cookie tracking issue is limited, fix coming today

    But if you don't allow 3rd party cookies, forget signing up with them! Limited my butt! Just sniff a connection or two and watch what goes on!
    tomaaaaaa1
  • RE: Facebook: Cookie tracking issue is limited, fix coming today

    Looks like Twitter and many other sites do the same thing. Try this. Clear your cookies and reload this page, you will get about 2 dozen cookies from different sites.
    MistyJesse
  • RE: Facebook: Cookie tracking issue is limited, fix coming today

    Now I'm Pis&ed! Why does zdnet put com.com, crowdscience.com, imrworldwide.com, revsci.com, scorecardresearch.com, stumbleupon.com, tag.admeld.com and twitter.com in my browser? Are these tracking cookies. I just might stop using zdnet because of this behavior. I do, of course, have my browsers set to delete all cookies, history, passwords and everything else when I exit, but that still doesn't make it right to shove cookies down my throat. BAD, BAD, ZDNET!!!! As I have stated before, FB and Twitter, etc ., are junk!!!
    Denny Fry
  • Facebook Cookie Tracking "Fix"

    "Going forward, Facebook is going to face much closer scrutiny related to its cookies and user tracking than it ever has before."<br><br>That's a good thing! The problem is that interest will fade (barring further revelations) and FB will continue to devise more devious methods to collect and track our personal activity to pad its' bottom line.
    hectorj102