Third-party tracking services are using “login with Facebook” to extract information about browsers, security researchers at Princeton discovered.
Two vulnerabilities found were:
- Third-party abuse of websites’ access to Facebook user data.
- A third-party used its own Facebook “application” to track users around the web.
“Facebook Login and other social login systems simplify the account creation process for users… but social login brings risks,” said the researchers.
“We’ve uncovered… when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”
The researchers found seven scripts collecting Facebook user data, using the Facebook access requested by the websites.
The scripts were embedded on 434 of the top one million sites. Most of them grab the user ID, while two took additional profile information such as email and username.
Sites exploited include tribunnews.com, trustedreviews.com, and lyrics.com.
“We believe the websites embedding these scripts are likely unaware of this particular data access.”
The table below provides an overview of the scripts. OnAudience has stopped collecting this information.
|Company||Script Address||Facebook Data Collected|
|OnAudience*||http://api.behavioralengine.com/scripts/be-init.js||User ID (hashed), Email (hashed), Gender|
|Lytics||https://c.lytics.io/static/io.min.js (loaded via OpenTag)||User ID|
|ProPS||http://st-a.props.id/ai.js||User ID (has code to collect more)|