Facebook's login-to-other-sites service lets scum slurp your stuff

How trackers can snatch private info from people's profiles

Updated It's possible for miscreants to secretly extract people's personal information via Facebook's Login service – the tool that lets you sign into websites using just a Facebook ID.

Readers will be familiar with Steven Englehardt, a Mozilla privacy engineer who pursues privacy research for his PhD at Princeton, whose work on browser fingerprinting led him to identify a remarkable degree of privacy invasion by analytical scripts.

In Englehardt's latest work, in partnership with Gunes Acar and Arvind Narayanan, the trio detailed seven online tracking services that can potentially access Facebook user data.

For netizens, Facebook Login looks like a boon: they only need to use their Facebook username and password to log into multiple sites or apps. However, it turns out that once you log in this way, any JavaScript code running on the page can pull up parts of your Facebook profile, which is useful for third-party tracking tools.

“When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site,” Englebardt explained.

These third-party trackers, when embedded in a webpage accessed via Facebook Login, can potentially grab Facebook user IDs, email addresses, names, and other profile information including – in one case – gender.

“We found seven scripts collecting Facebook user data using the first party’s Facebook access,” Englebardt wrote. The practice isn't yet widespread, thankfully: scripts provided by web tracking outfits were only found on 434 of Alexa's top one-million websites, including “fiverr.com, bhphotovideo.com, and mongodb.com."

Exfiltration from Facebook Login

Too easy, says Englehardt: a bit of JavaScript can exfiltrate Facebook Login data

The table below lists some of the some data collection services Englehardt's team identified.

Company Script Address Data Collected
OnAudience http://api.behavioralengine.com/scripts/be-init.js User ID (hashed), Email (hashed), Gender
Augur https://cdn.augur.io/augur.min.js Email, Username
Lytics https://c.lytics.io/static/io.min.js (loaded via OpenTag) User ID
ntvk1.ru https://p1.ntvk1.ru/nv.js User ID
ProPS http://st-a.props.id/ai.js User ID (has code to collect more)
Tealium http://tags.tiqcdn.com/utag/ipc/[*]/prod/utag.js User ID
Forter https://cdn4.forter.com/script.js?sn=[*] User ID

Engledhardt noted OnAudience stopped the data collection when he warned the biz it was misusing browser autofill features.

The second type of tracker Engledhardt discovered involved the abuse of HTML iframes, allowing advertising code to snoop on people who used Facebook Login to access websites.

Englehardt emphasised that this kind of third-party data gathering shouldn't be regarded as a bug on Facebook's part, although having announced “anonymous login” four years ago, it might be time for the Social Network™ to implement the feature.

As he wrote: "It is straightforward for a third party script to grab data from the Facebook API." ®

Updated to add

It should be noted that, for Tealium and Forter, Englehardt et al said: "Although we observe [Tealium and Forter's] scripts query the Facebook API and save the user’s Facebook ID, we could not verify that it is sent to their server due to obfuscation of their code and some limitations of our measurement methods."

In other words, while the user IDs are fetched by JavaScript included on webpages, via Facebook's APIs, the trio couldn't be sure those retrieved account IDs were always being phoned home to either tracking biz for further processing and storage.

Adam Corey, chief marketing officer of Tealium, has been in touch to stress "we do absolutely nothing to collect Facebook IDs on our own," and that if its servers are sent a netizen's user ID by a customer's webpage, that was the decision of page's developers. And the identifying data can be one-way encrypted using a hash function, we're told.

"If a customer decides to pass us a Facebook ID as part of a tracking initiative they have custom built themselves using our JavaScript code containers, we do accept it," said Corey. "Our best practice is to encrypt using a one-way hashing algorithm that we provide as part of our tool set before we collect the data.

"We don’t, however, share data of any sort across our network of customers, nor do we have a centralized database of visitors that would allow us to identify an end user and associate them with that Facebook identifier in a co-op fashion. The data collected in the first party on behalf of our customer is isolated into their data store and is not available to any other Tealium customer."

Englehardt has also been in touch to also point out that the mere presence of a tracker's JavaScript code on a webpage doesn't always mean information is being siphoned from Facebook:

The included scripts may not always contain the functionality to access the Facebook API. We have confirmed that the versions of the Forter scripts embedded on bhphotovideo.com and fiverr.com do not include this functionality. We regret the unclear wording used in the initial version of the post, and have since added clarifications to the post and site list.

Next, a spokesman for OnAudience confirmed to us that its info-slurping code has been axed:

The information included in the article published on Freedom To Tinker website is related to the BehavioralEngine.com, which was used by our legacy platform. The whole solution was shut down. There was no data exchange between BehavioralEngine and OnAudience.com.

The rep told us OnAudience processes only anonymized data, and never collected Facebook data, adding: “Delivering data to OnAudience.com platform is possible only by GET.pixel request. This methodology provides high data security by design. It is also technological standard in the digital marketing industry. OnAudience.com do not deliver (and never delivered) any JavaScripts that enables data gathering.”

The spokesperson said that as well as anonymizing personal records, OnAudience respects the Do Not Track flag, has opt-out mechanisms for users, and is prepared GDPR compliance. ®




Biting the hand that feeds IT © 1998–2018