Facebook's login-to-other-sites service lets scum slurp your stuff
How trackers can snatch private info from people's profiles
Updated It's possible for miscreants to secretly extract people's personal information via Facebook's Login service – the tool that lets you sign into websites using just a Facebook ID.
Readers will be familiar with Steven Englehardt, a Mozilla privacy engineer who pursues privacy research for his PhD at Princeton, whose work on browser fingerprinting led him to identify a remarkable degree of privacy invasion by analytical scripts.
In Englehardt's latest work, in partnership with Gunes Acar and Arvind Narayanan, the trio detailed seven online tracking services that can potentially access Facebook user data.
“When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site,” Englebardt explained.
These third-party trackers, when embedded in a webpage accessed via Facebook Login, can potentially grab Facebook user IDs, email addresses, names, and other profile information including – in one case – gender.
“We found seven scripts collecting Facebook user data using the first party’s Facebook access,” Englebardt wrote. The practice isn't yet widespread, thankfully: scripts provided by web tracking outfits were only found on 434 of Alexa's top one-million websites, including “fiverr.com, bhphotovideo.com, and mongodb.com."
The table below lists some of the some data collection services Englehardt's team identified.
|Company||Script Address||Data Collected|
|OnAudience||http://api.behavioralengine.com/scripts/be-init.js||User ID (hashed), Email (hashed), Gender|
|Lytics||https://c.lytics.io/static/io.min.js (loaded via OpenTag)||User ID|
|ProPS||http://st-a.props.id/ai.js||User ID (has code to collect more)|
Engledhardt noted OnAudience stopped the data collection when he warned the biz it was misusing browser autofill features.
The second type of tracker Engledhardt discovered involved the abuse of HTML iframes, allowing advertising code to snoop on people who used Facebook Login to access websites.
Englehardt emphasised that this kind of third-party data gathering shouldn't be regarded as a bug on Facebook's part, although having announced “anonymous login” four years ago, it might be time for the Social Network™ to implement the feature.
As he wrote: "It is straightforward for a third party script to grab data from the Facebook API." ®
Updated to add
It should be noted that, for Tealium and Forter, Englehardt et al said: "Although we observe [Tealium and Forter's] scripts query the Facebook API and save the user’s Facebook ID, we could not verify that it is sent to their server due to obfuscation of their code and some limitations of our measurement methods."
Adam Corey, chief marketing officer of Tealium, has been in touch to stress "we do absolutely nothing to collect Facebook IDs on our own," and that if its servers are sent a netizen's user ID by a customer's webpage, that was the decision of page's developers. And the identifying data can be one-way encrypted using a hash function, we're told.
"We don’t, however, share data of any sort across our network of customers, nor do we have a centralized database of visitors that would allow us to identify an end user and associate them with that Facebook identifier in a co-op fashion. The data collected in the first party on behalf of our customer is isolated into their data store and is not available to any other Tealium customer."
The included scripts may not always contain the functionality to access the Facebook API. We have confirmed that the versions of the Forter scripts embedded on bhphotovideo.com and fiverr.com do not include this functionality. We regret the unclear wording used in the initial version of the post, and have since added clarifications to the post and site list.
Next, a spokesman for OnAudience confirmed to us that its info-slurping code has been axed:
The information included in the article published on Freedom To Tinker website is related to the BehavioralEngine.com, which was used by our legacy platform. The whole solution was shut down. There was no data exchange between BehavioralEngine and OnAudience.com.
The spokesperson said that as well as anonymizing personal records, OnAudience respects the Do Not Track flag, has opt-out mechanisms for users, and is prepared GDPR compliance. ®
Sponsored: Becoming a Pragmatic Security Leader