A new investigation reports that Facebook’s Login feature can be used to steal user information when you sign into third-party websites using your Facebook ID. This loophole allows many advertising and analytics services to harvest data for ad-targeting.
The security researchers have found two types of vulnerabilities where third-parties:
- piggyback on Facebook access granted to websites
- track users around the web through Facebook Login service
The first is simple: when a user logs in with Facebook ID, not only that website gets access to user data, but also third parties embedded on that site.
This means that the website you are visiting and the third parties embedded on that website can extract your email address and “public profile” (name, age range, gender, locale, and profile photo).
The second vulnerability allows third-party trackers to deanonymize users by abusing iFrames for targeted advertising through Facebook Login. This violation of privacy is committed in a similar fashion mentioned above but it is a bit more complex.
In this case, if a website allows a user to log in using Facebook API, malicious third party trackers can embed a hidden iFrame that could pull user data which is accessible to the embedded scripts on that website.
Thus, trackers can keep on collecting Facebook user data using the first party’s authorization and pass it to any malicious sites or advertising agencies.
However, the researchers said, “This unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web.”
But they emphasized that Facebook could have checked this abuse of data by reviewing its API and it should also prevent third-parties from accessing app-specific user ID and using it to find user profiles.