Third-parties abusing 'Facebook Login' to steal users' data: Report

The unintended exposure of Facebook data to third party JavaScript trackers is not owing to a bug in Facebook''s Login feature.

IANS
San Francisco, Publish Date: Apr 19 2018 11:15AM | Updated Date: Apr 19 2018 11:15AM
Third-parties abusing 'Facebook Login' to steal users' data: ReportRepresentational image

Several third-party trackers are abusing Facebook Login, exfiltrating users' data including name, email address, age range, gender, locale and profile photo, a new security research report has claimed.

The unintended exposure of Facebook data to third party JavaScript trackers is not owing to a bug in Facebook's Login feature.

"Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," said the report prepared by Steven Englehardt, Gunes Acar and Arvind Narayanan, researchers at Freedom to Tinker -- a digital initiative by Princeton University's Center for Information Technology Policy.

"We report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through "login with Facebook" and other such social login APIs," the trio wrote.

Meanwhile, Facebook told the technology website Tech Crunch that they were investigating into the security research report.

The researchers found two types of vulnerabilities: Seven third parties abusing websites' access to Facebook user data and one third party using its own Facebook "application" to track users around the web.

British political consultancy firm Cambridge Analytica was found misusing users' data collected by a Facebook quiz app which used the "Login with Facebook" feature.

"We've uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website but also third parties embedded on that site," the report noted.

The researchers found seven scripts collecting Facebook user data using the first party's Facebook access.

"These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com," they wrote.

The user ID collected through the Facebook API is specific to the website (or the "application" in Facebook's terminology), which would limit the potential for cross-site tracking.

"But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices," the researchers warned.

"While we can't say how these trackers use the information they collect, we can examine their marketing material to understand how it may be used," they noted.

OnAudience, Tealium AudienceStream, Lytics, and ProPS all offer some form of "customer data platform", which collect data to help publishers to better monetise their users.

Forter offers "identity-based fraud prevention" for e-commerce sites while Augur offers cross-device tracking and consumer recognition services.

Hidden third-party trackers can also use "Facebook Login to deanonymise users for targeted advertising".

"This is a privacy violation, as it is unexpected and users are unaware of it," the researchers said.

There are steps Facebook and other social login providers can still take to prevent abuse.

"API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs," the report emphasised.

"It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago," the researchers added.

Latest News

  1. Video: Brave Sikh cop saves Muslim youth from angry mob outside temple in Uttarakhand
  2. Video: Brave Sikh cop saves Muslim youth from angry mob outside temple in Uttarakhand
  1. Police asked to investigate Hajin killing on fast-track basis: Naeem Akhtar
  2. Police asked to investigate Hajin killing on fast-track basis: Naeem Akhtar
  1. Srinagar family seeks help to trace missing elderly woman
  2. Srinagar family seeks help to trace missing elderly woman
  1. Pakistan warns of dangerous situation over water issues with India
  2. Pakistan warns of dangerous situation over water issues with India
  1. Khajuraho hottest place in India at 47.5 degrees
  2. Khajuraho hottest place in India at 47.5 degrees
  1. SSB announces change in test venues for teacher posts
  2. SSB announces change in test venues for teacher posts
  1. Want international support to press for Rohingyas' return: Hasina
  2. Want international support to press for Rohingyas' return: Hasina
  1. Major Gogoi to face Court of Inquiry
  2. Major Gogoi to face Court of Inquiry
  1. Muslim labourer thrashed for failing to name PM Modi, West Bengal Chief Minister
  2. Muslim labourer thrashed for failing to name PM Modi, West Bengal Chief Minister
  1. Karnataka CM Kumaraswamy wins floor test
  2. Karnataka CM Kumaraswamy wins floor test
  1. Hasina hopes India, Bangladesh will resolve disputes amicably
  2. Hasina hopes India, Bangladesh will resolve disputes amicably
  1. Mirwaiz blames deployment of forces for tension, agitation outside Jamia Masjid
  2. Mirwaiz blames deployment of forces for tension, agitation outside Jamia Masjid
  1. Car bomb kills six in Libya's Benghazi
  2. Car bomb kills six in Libya's Benghazi
  1. Army chief hints at extending Ramadhan ceasefire in Kashmir
  2. Army chief hints at extending Ramadhan ceasefire in Kashmir
  1. Dozens injured in Downtown Srinagar clashes
  2. Dozens injured in Downtown Srinagar clashes
  1. South Kashmir: Army's sniffer dog killed in Kulgam grenade blast
  2. South Kashmir: Army's sniffer dog killed in Kulgam grenade blast
  1. Exemplary punishment for Major Leetul Gogoi if found guilty: Army chief
  2. Exemplary punishment for Major Leetul Gogoi if found guilty: Army chief
  1. Police foil rifle-snatching bid by militants in south Kashmir; area cordoned off
  2. Police foil rifle-snatching bid by militants in south Kashmir; area cordoned off
  1. 2 Palestinians wounded in Gaza border clashes die
  2. 2 Palestinians wounded in Gaza border clashes die
  1. Omar Abdullah releases Rs 1.30 lakh rupees to help Kawoosa girl’s father build house
  2. Omar Abdullah releases Rs 1.30 lakh rupees to help Kawoosa girl’s father build house
  1. Special NIA court convicts five IM militants in Bodh Gaya serial blasts case
  2. Special NIA court convicts five IM militants in Bodh Gaya serial blasts case
  1. Gadkari advocates bringing fuel under GST
  2. Gadkari advocates bringing fuel under GST
  1. 15 injured in Canada Indian restaurant IED blast
  2. 15 injured in Canada Indian restaurant IED blast
  1. Train service suspended on Srinagar-Banihal route after protests
  2. Train service suspended on Srinagar-Banihal route after protests
  1. Four injured in Jammu grenade attack
  2. Four injured in Jammu grenade attack
  1. Five killed, eight injured in Jammu road accident
  2. Five killed, eight injured in Jammu road accident
  1. Missing Hajin youth joins militant ranks, gun-wielding picture surfaces on social media
  2. Missing Hajin youth joins militant ranks, gun-wielding picture surfaces on social media
  1. Man found dead with his throat slit in Hajin in north Kashmir
  2. Man found dead with his throat slit in Hajin in north Kashmir