Third-party tracking code, used across the internet to track user behaviors on websites, optimize ads and other purposes, has been grabbing Facebook user information on websites that support logging in through the social media platform, Princeton researchers report.
When users log in to websites using Facebook’s Login feature, trackers can grab Facebook user IDs and in some cases other information such as email address or gender, potentially without the knowledge of the operators of the websites where the trackers are installed, according to the researchers.
“[W]hen a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site,” write Gunes Acar, Arvind Narayanan, and Steven Englehardt, a Mozilla privacy engineer who also researches privacy at Princeton.
The researchers identified seven websites that were accessing Facebook user data, and found scripts to gather this user information on just 434 of the Alexa top million sites.
In one instance where hidden trackers can use Facebook Login to deanonymize and track visitors, the gig listing website Bandsintown (represented as tracker.com in the above image) asks users to Login with Facebook and give the Bandsintown Facebook app access to their profile, city, likes, email address, and music activity. If those users visited other music-related sites that contain Bandintown’s “Amplified” ad product—including lyrics.com, songlyrics.com and lyricsmania.com (represented by publisher.com in the image)—an invisible iframe then passed the user ID to the embedding site.
“Thus, any malicious site could have used their iframe to identify visitors,” the researchers wrote. After being notified, Bandsintown removed the script.
“This was not a ‘practice’ or intended use of this script, and we are not aware of any malicious misuse by any other parties,” a company spokesman wrote in an email to Fast Company. “Bandsintown does not disclose unauthorized data to third parties, we value the privacy of our users and are committed to meeting the highest possible data protection standards.”
The report comes as Facebook continues to grapple with fallout from the news that shadowy political data firm Cambridge Analytica was able to grab data on millions of Facebook users through a psychological quiz.
The Princeton researchers said that the unintended exposure of Facebook data to third parties was not due to a bug in Facebook’s Login feature. “Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” they write.
Third-party code running on websites has long been seen as a potential vulnerability. Major publishers have grappled with outside advertising code, seen as necessary to their bottom lines, at times injecting malware into otherwise innocuous pages. And Grindr, the popular gay dating service, recently apologized for effectively sharing sensitive data like subscribers’ locations and HIV status with outside data analytics providers used to track and optimize its apps.
“Still, there are steps Facebook and other social login providers can take to prevent abuse,” the researchers write. “API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago.”
A Facebook spokesperson did not immediately respond to a request for comment.