A new investigation reports that Facebook’s Login feature can be used to steal user information when you sign into third-party websites using your Facebook ID. This loophole allows many advertising and analytics services to harvest data for ad-targeting.

The security researchers have found two types of vulnerabilities where third-parties:

  • piggyback on Facebook access granted to websites
  • track users around the web through Facebook Login service

The first is simple: when a user logs in with Facebook ID, not only that website gets access to user data, but also third parties embedded on that site.

This means that the website you are visiting and the third parties embedded on that website can extract your email address and “public profile” (name, age range, gender, locale, and profile photo).

Facebook Login misuse1
Image: Freedom To Tinker

In fact, they can do so without triggering a manual review by Facebook even after the recent changes brought by the company to tighten data security. Once the access is granted, any third-party Javascript embedded in the page can access your personal info.

The second vulnerability allows third-party trackers to deanonymize users by abusing iFrames for targeted advertising through Facebook Login. This violation of privacy is committed in a similar fashion mentioned above but it is a bit more complex.

Facebook Login Misuse2
Image: Freedom To Tinker

In this case, if a website allows a user to log in using Facebook API, malicious third party trackers can embed a hidden iFrame that could pull user data which is accessible to the embedded scripts on that website.

Thus, trackers can keep on collecting Facebook user data using the first party’s authorization and pass it to any malicious sites or advertising agencies.

However, the researchers said, “This unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web.”

But they emphasized that Facebook could have checked this abuse of data by reviewing its API and it should also prevent third-parties from accessing app-specific user ID and using it to find user profiles.

Also Read: Did Facebook Just Start The Blame Game? Says Google Also Sucks Your Data