Facebook Login System Being Abused by Third-Party Trackers to Exfiltrate User Data: Report

Advertisement
By Indo-Asian News Service | Updated: 19 April 2018 20:34 IST
Highlights
  • Trackers are exfiltrating users' name, email address, age range, etc.
  • Lack of security boundaries between first and third-party scripts: Report
  • Investigating the security research report: Facebook

Several third-party trackers are abusing the Facebook Login system, exfiltrating users' data including name, email address, age range, gender, locale and profile photo, a new security research report has claimed.

The unintended exposure of Facebook data to third-party JavaScript trackers is not owing to a bug in the Login With Facebook system. "Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's Web," said the report prepared by Steven Englehardt, Gunes Acar and Arvind Narayanan, researchers at Freedom to Tinker - a digital initiative by Princeton University's Center for Information Technology Policy.

Advertisement

Photo Credit: Freedom to Tinker/ CITP

 

"We report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through "Login with Facebook" and other such social login APIs," the trio wrote.

Meanwhile, Facebook told TechCrunch that it is investigating the security research report.

Advertisement

The researchers found two types of vulnerabilities: Seven third parties abusing websites' access to Facebook user data and one third party using its own Facebook "application" to track users around the Web.

British political consultancy firm Cambridge Analytica was found misusing users' data collected by a Facebook quiz app which used the "Login with Facebook" feature.

Advertisement

"We've uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website but also third parties embedded on that site," the report noted.

The researchers found seven scripts collecting Facebook user data using the first party's Facebook access. These are OnAudience, Augur, Lytics, ntvk1.ru, ProPS, Tealium, and Forter. Of these, OnAudience was said to have stopped collecting data after an earlier report by the researchers.

Advertisement

Photo Credit: Freedom to Tinker/ CITP

 

"These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com," they wrote.

Update: 19 April 2018 8:30pm IST. The researchers have posted the following clarification: 

We confirmed that the Forter scripts embedded on fiverr.com and bhphotovideo.com do NOT include functionality to access Facebook data. On mongodb.com we only observed the presence of an Augur script. We have published an updated list of sites, marking the ones where we have confirmed the presence of functionality to access Facebook data.

 

The user ID collected through the Facebook API is specific to the website (or the "application" in Facebook's terminology), which would limit the potential for cross-site tracking.

"But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices," the researchers warned.

Photo Credit: Freedom to Tinker/ CITP

 

"While we can't say how these trackers use the information they collect, we can examine their marketing material to understand how it may be used," they noted.

OnAudience, Tealium AudienceStream, Lytics, and ProPS all offer some form of "customer data platform", which collect data to help publishers to better monetise their users.

Forter offers "identity-based fraud prevention" for e-commerce sites while Augur offers cross-device tracking and consumer recognition services.

Hidden third-party trackers can also use "Facebook Login to de-anonymise users for targeted advertising".

"This is a privacy violation, as it is unexpected and users are unaware of it," the researchers said.

There are steps Facebook and other social login providers can still take to prevent abuse.

"API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs," the report emphasised.

"It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago," the researchers added.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day 2026 Sale Is Live: Best Tech Deals
  2. DJI Mic Mini 2S Launched With 32-Bit Float Recording, AI Noise Cancellation
  3. Asus Vivobook 15 (2026) Launched in India Ahead of Amazon, Flipkart Sale Events
  4. Nokia 235 4G (2026), 215 4G (2026) Launched; Nokia 210 4G, 200 4G Tag Along
  5. Alienware 15 Arrives in India as Dell's Most Affordable Gaming Laptop Yet
  6. Amazon Prime Day 2026: Best Deals on Smartphones Under Rs. 30,000
  7. Best Mobiles To Grab During The Flipkart GOAT Sale
  8. iPhone 18 Pro Max Might Arrive With Apple's Biggest Battery Yet
  9. Flipkart GOAT Sale: Top Early Deals on Smartphones, Tablets and More
  10. Huion's 2026 India Lineup Defines Next-Gen Creativity
  1. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  2. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  3. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  4. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  5. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  6. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  7. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
  8. Sony Reportedly Restructures Disc Factory After Announcing End of Physical Game Discs on PlayStation
  9. Maharashtra Legislature Passes Amendment to Bring Virtual Digital Assets Under Depositor Protection Law
  10. Redmi 17 5G NCC, SIRIM Certification Listings Reportedly Reveal Battery and Charging Details
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.