Third-party sites exploiting Facebook user data by using log-in trackers
Researchers at Princeton University have discovered that several third-party trackers across the web are abusing the ‘Login with Facebook’ feature by exfiltrating users’ personal data through the API (application programming interfaces) for advertising purposes.
The security research report was published by researchers at Freedom to Tinker – a digital initiative by Princeton University’s Center for Information Technology Policy. According to the report, personal identifiable information such as “name, email address, age range, gender, locale and profile photo”, are collected by the third-party trackers.
“Some third parties use the Facebook Login feature to authenticate users across many websites. However, hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising. This is a privacy violation, as it is unexpected and users are unaware of it,” Englehardt, Acar, and Narayanan wrote on the Freedom to Tinker blog hosted by Princeton’s Center for Information Technology Policy.
“This unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” they wrote.
Many people use the Facebook Login feature, as it is a quick and easy method of creating accounts without requiring the user to input basic information, such as name, birthday and email address, into a registration form. But this shortcut might mean users are handing over significantly more information than intended.
The researchers found two types of vulnerabilities: Seven third parties abusing websites’ access to Facebook user data and one third party using its own Facebook “application” to track users around the web.
“We’ve uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site,” Englehardt wrote in a report.
The researchers found seven scripts collecting Facebook user data using the first party’s Facebook access. “These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com,” they wrote.
When contacted about the report, MongoDB stated that “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”
On the other hand, a Facebook spokesperson commenting on the issue said, “Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
According to the researchers, Facebook and other social login providers could prevent such exploit by auditing the use of APIs that access users’ login data, or by using app-scoped user IDs instead of global user IDs for logging in to other sites.
“It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago,” they added.