Facebook cookies are valid even after leaving the site.
Among the latest innovations on Facebook is the publication of the status in the social network about the pages visited, even if the user did not press the Like button. Thus, information about his actions can become public without his knowledge and, possibly, without his desire. Some famous people are frightened by this opportunity, so they recommend logging in with Facebook before visiting other sites.
But it turns out the problem is much deeper. The fact is that some Facebook cookies live even after they leave the site, so Facebook can follow the user's actions and update their statuses.
Security specialist Nick Kubrilovich (Nik Cubrilovic) shows which cookies are set when logging in to facebook.com.
And what are removed during login.
')
As you can see, not all cookies that have been set are deleted, and some cookies ( locale and lu ) are simply assigned a new expiry date, plus three more new cookies ( W, fl, L ) are set when leaving the site.
As a result, even after logging out on Facebook, cookies are sent to the site, including identification information. Here is an example request as logged out user.
That is, at any time when a user visits a page with a Like button or any other Facebook button, information about this goes to Facebook.
Thus, a reliable way to avoid “snooping” is to completely remove the facebook.com cookie and no longer go to the site, as an option - set up the appropriate filters in AdBlock or similar programs.
But it turns out the problem is much deeper. The fact is that some Facebook cookies live even after they leave the site, so Facebook can follow the user's actions and update their statuses.
Security specialist Nick Kubrilovich (Nik Cubrilovic) shows which cookies are set when logging in to facebook.com.
Cookie:
datr=tdnZTOt21HOTpRkRzS-6tjKP;
lu=ggIZeheqTLbjoZ5Wgg;
openid_p=101045999;
c_user=500011111;
sct=1316000000;
xs=2%3A99105e8977f92ec58696cf73dd4a32f7;
act=1311234574586%2F0And what are removed during login.
')
Set-Cookie:
_e_fUJO_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
c_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
fl=1; path=/; domain=.facebook.com; httponly
L=2; path=/; domain=.facebook.com; httponly
locale=en_US; expires=Sun, 02-Oct-2011 07:52:33 GMT; path=/; domain=.facebook.com
lu=ggIZeheqTLbjoZ5Wgg; expires=Tue, 24-Sep-2013 07:52:33 GMT; path=/; domain=.facebook.com; httponly
s=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
sct=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
W=1316000000; path=/; domain=.facebook.com
xs=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponlyAs you can see, not all cookies that have been set are deleted, and some cookies ( locale and lu ) are simply assigned a new expiry date, plus three more new cookies ( W, fl, L ) are set when leaving the site.
As a result, even after logging out on Facebook, cookies are sent to the site, including identification information. Here is an example request as logged out user.
Cookie:
datr=tdnZTOt21HOTpRkRzS-6tjKP;
openid_p=101045999;
act=1311234574586%2F0;
L=2;
locale=en_US;
lu=ggIZeheqTLbjoZ5Wgg;
lsd=IkRq1;
reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0baaaaa32f88152%26eu%3DJhvyCGewZ3n_VN7xw1BvUw;
reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0b1aaaaa152%26eu%3DJhvyCGewZ3n_VN7xw1BvUwThat is, at any time when a user visits a page with a Like button or any other Facebook button, information about this goes to Facebook.
Thus, a reliable way to avoid “snooping” is to completely remove the facebook.com cookie and no longer go to the site, as an option - set up the appropriate filters in AdBlock or similar programs.
Source: https://habr.com/ru/post/129154/
All Articles