Login With Facebook data hijacked by JavaScript trackers

Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user’s data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It’s unclear what these trackers do with the data, but some of their parent companies sell publisher monetization services based on collected user data.

The abusive scripts were found on 434 of the top 1 million websites including cloud database provider MongoDB. That’s according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton’s Center For Information Technology Policy.

Meanwhile, concert site BandsInTown was found to be passing Login With Facebook user data to embedded scripts on sites that install its Amplified advertising product. An invisible BandsInTown iframe would load on these sites, pulling in user data that was then accessible to embedded scripts. That let any malicious site using BandsInTown learn the identity of visitors. BandsInTown has now fixed this vulnerability.

TechCrunch is still awaiting a formal statement from Facebook beyond “We will look into this and get back to you.”

[Update 4/19/18 10:15am: A Facebook spokesperson now tells us “Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”]

After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

BandsInTown tells me “Bandsintown does not disclose unauthorized data to third parties and upon receiving an email from a researcher presenting a potential vulnerability in a script running on our ad platform, we quickly took the appropriate actions to resolve the issue in full.” [Correction: Two sites listed by the researchers have confirmed via fraud prevention service Forter that they did not host any exploitative trackers, or that their trackers did not have access to Facebook data. They’ve been removed from the research paper and subsequently from this article. Two of the tracker companies have confirmed they don’t collect Facebook data, and we’ve removed them as well.]

The discovery of these data security flaws comes at a vulnerable time for Facebook. The company is trying to recover from the Cambridge Analytica scandal, CEO Mark Zuckerberg just testified before congress, and today it unveiled privacy updates to comply with Europe’s GDPR law. But Facebook’s recent API changes designed to safeguard user data didn’t prevent these exploits. And the situation shines more light on the little-understood ways Facebook users are tracked around the Internet, not just on its site.

“When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site” writes Englehardt. This chart shows that what some trackers are pulling from users. Freedom To Tinker warned OnAudience about another security issue recently, leading it to stop collecting user info.

Facebook could have identified these trackers and prevented these exploits with sufficient API auditing. It’s currently ramping up API auditing as it hunts down other developers that might have improperly shared, sold, or used data like how Dr. Aleksandr Kogan’s app’s user data ended up in the hands of Cambridge Analytica. Facebook could also change its systems to prevent developers from taking an app-specific user ID and employing it to discover that person’s permanent overarching Facebook user ID.

Revelations like this are likely to beckon a bigger data backlash. Over the years, the public had became complacent about the ways their data was exploited without consent around the web. While it’s Facebook in the hot seat, other tech giants like Google rely on user data and operate developer platforms that can be tough to police. And news publishers, desperate to earn enough from ads to survive, often fall in with sketchy ad networks and trackers.

Zuckerberg makes an easy target because the Facebook founder is still the CEO, allowing critics and regulators to blame him for the social network’s failings. But any company playing fast and loose with user data should be sweating.

More From this publisher : HERE ; This post was curated using : TrendingTraffic

 


RELATED PRODUCTS
  • Get Up And Running Using Facebook Advertising In Under 1 Hour
  • Join Our Community To Learn All About Commodity Trading And Show Off Your Trading Skills
  • How To Create Simple Evergreen Facebook Ads For Profit Local Businesses.
  • Tick Data Suite is geared towards individuals who are not impressed by huge colored.
  • Learn an online advertising system that is more targeted and less expensive.
  • Tired of manually pulling emails from Facebook Try Facebook Follower Lead Capture Software.
  • Discover The Secrets On How To Get Great Traffic And A Stream Of Income From Facebook Groups
  • 100 Legitimate - Scam Free 2,500 Home Jobs Available.
  • Discover The Simple Techniques To RAKING In The TRAFFIC and SALES Within Days From Now.
  • Get 50 Super High Quality Professionally Designed Facebook Fan Page Templates.
  • Befriend and seduce hot girls on Facebook now.
  • Save money and get over 124 Ketogenic diet recipes with nutritional data.
  • Use Easy Backlinks to save time, automate your website's content and engage your followers.
  • Clickbank Ads
     

    Recommended Products

    Local360 - 10 Templates

    Local360 - Complete Outsourcing System

    Linkedtify - Personal

    Purchase The Best LinkedIn Software and Training and get rewarded with consistent leads. Proof Inside!

    AdBuddy - Agency 30 Accounts

    Agency - Gives you the option to add more team members or alternatively create more accounts that you can control under your wing (for clients, family, team members, etc)

    Silent Siphon - Professional

    Silent Siphon is the powerful automated lead generation system for WordPress that leverages the power of viral content to force attention to your message...

    Comments are closed