Beth Pattinson
While Facebook hasn’t gotten itself completely out of the Cambridge Analytica data violation scandal, it is yet stuck into another data abuse case.
Researchers Steven Englehardt, Gunes Acar, and Arvind Narayanan from the ‘Freedom To Tinker’ hosted by Princeton University’s Center For Information Technology Policy, found out that hidden trackers from third parties embedded in websites having “Login with Facebook” feature, suck up users’ data more than they intend to give away.
Facebook confirmed the report and said it is investigating the matter. Third party JavaScripts hidden in websites having the option to login with Facebook gather users’ information like name, age, gender, email, profile photo from their Facebook profiles.
The purpose behind this data collection is still unknown however the companies behind these trackers like Lytics and ProPS sell publisher monetization services based on the collected user data.
According to the security report, these malicious JavaScripts were discovered on 434 of the top 1 million websites that offer the Facebook login feature, including MongoDB.
After the vulnerability was brought into MongoDB’s attention, the cloud storage provider released a statement saying:
“We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”
Meanwhile, a concert site BandsInTown was found passing the data collected by “Login With Facebook” to websites that installed its Amplified advertising product. The exploit made an invisible BandsInTown iframe that would load on the sites bringing with it all the user data that was then leached off by the embedded JavaScripts. The vulnerability is now repaired by BandsInTown.
The researchers noted that Facebook was not to be blamed here as there was no hole in its security responsible for the breach.
“This unintended exposure of Facebook data to third-parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” the researchers said.
“Still, there are steps Facebook and other social login providers can take to prevent abuse: API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago.”
Facebook is working on the issue and in a statement to TechCrunch, a Facebook spokesperson said:
“Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
Although Facebook has made a lot of changes to its API to safeguard users’ data, it still cannot stop such data abusing practices. This aids a little more to Facebook’s already fragile case about third-parties being able to access users’ data.
“When a user grants a website access to their social media profile, they are not only trusting that website, but also third-parties embedded on that site” wrote researcher, Steven Englehardt.
It looks like the updates are not enough and Facebook needs to make further changes in its policies in order to prevent developers from gathering app-specific user login details.
Facebook that was already in hot water must be sweating after this revelation as the network had already been a target for criticism lately due to its weak privacy policies. Recent data violation incidents have alerted users who are now very concerned about their data and are questioning its safety. Facebook says it is looking into the issue, we hope that this time it mends all the holes once and for all.
Also Read: Total 87 million users affected by Cambridge Analytica Scandal
