Facebook tracking cookie returns, according to hacker

Facebook tracking cookie returns, according to hacker

Summary: The datr cookie, which can be used for tracking users, is once again being set on third-party websites with a Facebook social plugin – whether you are logged in or logged out of the service.


Update: This has been confirmed. Facebook: cookie tracking issue is limited, fix coming today.

Self-proclaimed hacker Nik Cubrilovic says he has once again caught Facebook red-handed. After being tipped off by Twitter user Jonathan Mayer about cbssports.com, he has discovered Facebook is once again setting its datr cookie via Like buttons and other social plugins.

Back in May, The Wall Street Journal reported the following:

Until recently, some Facebook widgets also obtained browsing data about Internet users who had never visited Facebook.com, though Facebook wouldn't know their identity. The company says it discontinued that practice, which it described as a "bug," earlier this year after it was disclosed by Dutch researcher Arnold Roosendaal of Tilburg University.

The cookie was being set even if the user had never been to the Facebook site, and even if he or she didn't click on a given Facebook widget. Cubrilovic says the datr cookie is now back and just as before, and is being "set by all the third-party sites that we tested." It can be read later to track a user across different Web properties and back to the Facebook site.

Facebook's own description of the datr cookie is as follows:

We set the 'datr' cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

Cubrilovic says that despite this explanation, the cookie is now again being set. It is reportedly the first cookie that is set on all third-party websites with a Facebook social plugin, and for all users of the social network – whether you are logged in or logged out.

Independent researcher Ashkan Soltani, who filed a bug about the datr cookie before, has submitted again submitted a bug report to Facebook, according to Cubrilovic. It's currently unclear if this cookie was re-enabled accidentally or on purpose, but either way an explanation is in order.

Last week, Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.

The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Palo Alto explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.

After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question now behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.

Following all this, 10 privacy groups and US congressmen sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Furthermore, Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected. Facebook has even had to defend itself in regards to a recent patent it filed, arguing that the document does not describe how to track logged-out users.

If Cubrilovic's latest findings are accurate, governments around the world just got another reason to probe the social networking giant. I have contacted Facebook to find out more about this issue.

See also:

Topics: Social Enterprise, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook tracking cookie returns, according to hacker

    I just wonder how many people actually care about these tracking policies of Facebook. When you login to a site thorough Facebook account you are explicitly giving consent to use you data from Facebook to that site. <br>So, from a user perspective what is the big deal of seeing that you and/or your friends liked a specific thing or use your Facebook account to post on that very same site.<br>Too much for too little.
    • RE: Facebook tracking cookie returns, according to hacker

      Yes i do care thats why i quit being a member as soon as i know how to do it. I dont mind being "tracked" on any given web site but when i leave its none of your stinking business what i do,go. Not because i have something to hide,its because its none of your business. Its just that simple
  • RE: Facebook tracking cookie returns, according to hacker

    Facebook knows you are here. Run.
    • RE: Facebook tracking cookie returns, according to hacker

      @drewschug FACEBOOK is based on the film CATCH ME IF YOU CAN
  • If they are breaking laws

    If they are breaking laws then someone from FB needs to answer for the law. Web sites have no business tracking anyone unless your on there site.
  • RE: Facebook tracking cookie returns, according to hacker

    MS does the same thing if you have Bing toolbar installed with recommended settings. What's worse is that these two companies have a partnership where they sell each other user data (at least MS buys and Facebook sells). My recommendation is if you care about privacy, don't use these services.
  • anti hacked now

    I just removed it off my website http://letmewatchthis.name anti hacked
  • Alternatives to Tracked Social Networks

    Tracking user data has been the standard practice of these internet giants for years now. Only recently there has been a growing concern among average web users over how much personal, private data these companies really have.

    The concern does not stem from these companies collecting this data, but from how secure their data is once it is in Facebook???s or Google???s possession. Hackers stealing this data, or this information getting sold to shady third parties are all legitimate concerns.

    Because of these concerns, a new trend is emerging with savvy social network users switching over to fully private social platforms such as Sgrouples.com. Sgrouples does not track or collect any user data, and all activity within the network is completely private.