Facebook: analysis and defense
2007-12-18 02:22 pm Thanks to this
excellent post on EFF's
Deeplinks blog, I can now point the few of you who are interested in
the details at Jay Goldman's excellent analysis explaining how FB and their Beacon
partners accomplish something that would be a cross-site scripting attack
if they weren't ganging up on you to do it. It's done without
cookies, by the way; the key part is javascript on the original page
dynamically constructing an iframe that does the dirty work
talks to Facebook.
So, if blocking cookies won't do it, how do you disable Beacon? The answer is in this blog post by Nate Weiner. Finally, here's CA Security Advisor to point out that Facebook gets the information about your third-party activity whether or not you opt out. Goldman's analysis makes that clear as well. Facebook, of course, says that 'If a Facebook user clicks "No, thanks" on the partner site notification, Facebook does not use the data and deletes it from its servers.'
Do you trust them?