Facebook Login feature being hijacked by hidden trackers, warn researchers

Log-in with Facebook? You could be giving away more personal data than you bargained for

Facebook is at the centre of another privacy scare following claims that logging-in to websites via Facebook enables hidden trackers to suck up more personal data than users might expect.

That's according to researchers Steven Englehardt, Gunes Acar and Arvind Narayanan of the Freedom To Tinker blog, hosted by Princeton University's Center For Information Technology Policy.

They found that Facebook users' data, including names, email addresses, age range, gender, location and profile picture, could be Dysoned up by third-party JavaScript trackers on websites making use of the 'Login with Facebook' feature.

Such trackers are provided by firms not linked to Facebook or even the websites using them. The researchers found that seven of the trackers they examined abuse a website's access to Facebook data, while one third-party tool uses its own Facebook 'app' to track users across the web.

The researchers couldn't say for sure what the third-party trackers were doing with the data, but they suspected it was being monetised for advertising purposes, given the trackers' parent companies offer publisher monetisation services fuelled by user data.

"Hidden third-party trackers can also use Facebook Login to de-anonymise users for targeted advertising. This is a privacy violation, as it is unexpected and users are unaware of it," they said.

The use of the Facebook Login API is not uncommon and has become a widely used authentication tool on many websites.

However, the use of hidden trackers is a problem, not just due to their clandestine nature, but also due to the fact that visitors not only need to trust the website they visit to not abuse their data but also need to have faith in third-party tools on the site.

While some people might shrug at the idea of their data being used for targeted advertising, as that's now commonplace on the web, there's potential for malicious trackers to siphon Facebook data and allow less than scrupulous third-parties to abuse it.

The researchers noted that - for a change - Facebook was not directly to blame for the privacy shortcoming.

"This unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," the researchers explained.

"Still, there are steps Facebook and other social login providers can take to prevent abuse: API use can be audited to review how, where, and which parties are accessing social login data.

"Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago."

Computing has contacted Facebook for comment, but it has yet to respond.