Facebook users' data exposed to web trackers when using its login feature for other sites: Report

Facebook users' data exposed to web trackers when using its login feature for other sites: Report
PHOTO: Reuters

If you've logged into a website or app using the "login with Facebook" feature, your data could have been exposed to third-party trackers.

Web trackers are exploiting websites' access to Facebook user data, according to a security research report by Steven Englehardt and two other researchers at Freedom to Tinker, a blog hosted by Princeton University's Center for Information Technology Policy.

The study showed that when a user logs into a website using Facebook's login application programming interface (API) - which lets people sign into an external app or website without having to create an account - third party JavaScript trackers embedded on that site are then able to collect data on the user's public profile and email address. JavaScript is the programming language used for web pages.

The research did not explain how these trackers used the data collected from Facebook users but said that some of their parent companies collect data to help publishers monetise their users.

Facebook was not immediately available for comment when contacted by CNBC; however, a spokesperson told TechCrunch that it is investigating the research.

BandsInTown, a concert tracking website that notifies users of when a band they like is playing near them, was found to be passing on users' public profile data to other websites. If a user that signs into BandsInTown with Facebook then visits a website using Bandsintown's Amplified advertising product, that user inadvertently shares their Facebook ID with the site, researchers said. Public profile data can include a user's name, age, gender, location and profile picture.

"BandsInTown does not disclose unauthorized data to third parties and upon receiving an email from a researcher presenting a potential vulnerability in a script running on one of our platforms, we quickly took the appropriate actions to resolve the issue in full," a spokesperson for the company said in an emailed statement. "We value the privacy of our users and are committed to meeting the highest possible security standards."

The fault does not lie with Facebook, the researchers said, but more can be done by Facebook and other social login providers to prevent abuse.

Dating app Bumble recently said it will let users sign into its service without having to have a Facebook account.

Facebook has been embroiled in controversy over how it treats user privacy since it was revealed that 87 million users' data was shared without their permission to a political data analytics firm Cambridge Analytica. Cambridge Analytica disputes this figure, however, and maintains that 30 million users had their data shared. The firm also denies any wrongdoing.

Facebook CEO Mark Zuckerberg testified before Congress last week to address the scandal, and the company's CTO Mike Schroepfer will appear before UK lawmakers later this month.

This article was first published on CNBC

Purchase this article for republication.



Your daily good stuff - AsiaOne stories delivered straight to your inbox
By signing up, you agree to our Privacy policy and Terms and Conditions.