Web trackers abuse Facebook login to harvest data

Third-party tracking services are using “login with Facebook” to extract information about browsers, security researchers at Princeton discovered.

Two vulnerabilities found were:

  • Third-party abuse of websites’ access to Facebook user data.
  • A third-party used its own Facebook “application” to track users around the web.

“Facebook Login and other social login systems simplify the account creation process for users… but social login brings risks,” said the researchers.

“We’ve uncovered… when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”

The researchers found seven scripts collecting Facebook user data, using the Facebook access requested by the websites.

The scripts were embedded on 434 of the top one million sites. Most of them grab the user ID, while two took additional profile information such as email and username.

Sites exploited include tribunnews.com, trustedreviews.com, and lyrics.com.

“We believe the websites embedding these scripts are likely unaware of this particular data access.”

The table below provides an overview of the scripts. OnAudience has stopped collecting this information.

Company Script Address Facebook Data Collected
OnAudience* http://api.behavioralengine.com/scripts/be-init.js User ID (hashed), Email (hashed), Gender
Augur https://cdn.augur.io/augur.min.js Email, Username
Lytics https://c.lytics.io/static/io.min.js (loaded via OpenTag) User ID
ntvk1.ru https://p1.ntvk1.ru/nv.js User ID
ProPS http://st-a.props.id/ai.js User ID (has code to collect more)
Tealium http://tags.tiqcdn.com/utag/ipc/[*]/prod/utag.js User ID

Now read: Facebook to build its own processors

Latest news

Partner Content

Show comments

Recommended

Share this article
Web trackers abuse Facebook login to harvest data