1. Home
  2. News
  3. Privacy

New research finds third-party trackers can abuse Facebook’s Login feature

JavaScript trackers can scrape user data without their consent

Photo (c) Simon Pixabay - Getty Images
Facebook has been dealing with a number of privacy-related issues in recent months, and now it has another one to worry about.

The company has confirmed to TechCrunch that it is investigating a research report which shows  that Facebook user data can be compromised by third-party JavaScript trackers embedded on websites using Login With Facebook.  

Trackers are able to harvest a user’s data -- including name, email address, age range, gender, location, and profile photo -- depending on what users initially provided to the website, according to the research report.

The security researchers found that “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”

“Surreptitious data collection”

Researchers say the unintended exposure of Facebook data to third party JavaScript trackers isn’t due to a flaw in Facebook’s Login feature.

“Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” said the report prepared by Steven Englehardt and two of his colleagues at Freedom to Tinker -- a digital initiative by Princeton University’s Center for Information Technology Policy.

The research revealed that seven third parties are abusing websites’ access to Facebook user data and one third party using its own Facebook “application” to track users around the web.

Not yet widespread

The scripts were found on more than 400 of the top one million websites, including BandsInTown and MongoDB.

"We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down," MongoDB told TechCrunch.

This report authors pointed out that this is another example of an exploit that could have been avoided if Facebook had done a better job of auditing how third parties use tools like Login to stop trackers from extracting more information than necessary.

Facebook is already doing damage control on a number of data issues, including the revelation that data of up to 87 million users may have been improperly shared with Cambridge Analytica.

When questioned by Congress, CEO Mark Zuckerberg admitted that Facebook collects “data of people who have not signed up for Facebook.” He claimed the practice was done for security purposes.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.