Soon after self-proclaimed hacker Nik Cubrilovic discovered Facebook is once again setting its datr cookie via the Like button and other social plugins, the company has made an attempt to clarify the findings. Facebook has confirmed this is indeed a bug, but says that it is limited in scope and that it will be fixed today.
The cookie in question can be set even if the user has never been to Facebook, and even if he or she doesn't click on a given Facebook widget. It can be read later to track a user across different Web properties and back to the Facebook site. Cubrilovic said it is reportedly the first cookie set on all third-party websites with a Facebook social plugin, and for all users of the social network – whether you are logged in or logged out.
I contacted Facebook and a spokesperson pointed me to a comment made to Cubrilovic by Facebook engineer Gregg Stefancik:
I am a engineer at Facebook who works on Facebook's login systems. Thanks for raising this issue. We still have a policy of not building profiles based on data from logged out users. Reports like this help us make sure we're adhering to that policy which has not changed. As we discussed last week, we are examining our cookie setting behavior to make sure we do not inadvertently receive data that could be associated with a specific person not logged into Facebook.
We have been made aware of 2 instances in the past 2 weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports. We have moved quickly to investigate and resolve this latest issue which will be fully addressed today. We encourage security researchers to test our practices and report them to us through our whitehat program which rewards people like you who identify issues.
I also asked for further clarification on how many third-party websites have this issue and why not all websites are affected. "Sites that called our API in a non-standard way, one in which we had not considered to protect against cookie-setting for non-users, were impacted by this bug," a Facebook spokesperson said in a statement.
It looks like another mystery has been solved, although something tells me this story is not over. Going forward, Facebook is going to face much closer scrutiny related to its cookies and user tracking than it ever has before.
Part of this will come from legal bodies. 10 privacy groups and US congressmen last week sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Furthermore, Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected. Facebook has even had to defend itself in regards to a recent patent it filed, arguing that the document does not describe how to track logged-out users.
- Facebook tracking cookie returns, according to hacker
- Facebook denies patent is used for tracking logged-out users
- Facebook tracks you online even after you log out
- Facebook denies cookie tracking allegations
- Facebook fixes cookie behavior after logging out