Third-party tracking code, used across the internet to track user behaviors on websites, optimize ads and other purposes, has been grabbing Facebook user information on websites that support logging in through the social media platform, Princeton researchers report.
When users log in to websites using Facebook’s Login feature, trackers can grab Facebook user IDs and in some cases other information such as email address or gender, potentially without the knowledge of the operators of the websites where the trackers are installed, according to the researchers.
“[W]hen a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site,” write Gunes Acar, Arvind Narayanan, and Steven Englehardt, a Mozilla privacy engineer who also researches privacy at Princeton.
The researchers identified seven websites that were accessing Facebook user data, and found scripts to gather this user information on just 434 of the Alexa top million sites.
“Thus, any malicious site could have used their iframe to identify visitors,” the researchers wrote. After being notified, Bandsintown removed the script.
“This was not a ‘practice’ or intended use of this script, and we are not aware of any malicious misuse by any other parties,” a company spokesman wrote in an email to Fast Company. “Bandsintown does not disclose unauthorized data to third parties, we value the privacy of our users and are committed to meeting the highest possible data protection standards.”
The report comes as Facebook continues to grapple with fallout from the news that shadowy political data firm Cambridge Analytica was able to grab data on millions of Facebook users through a psychological quiz.
The Princeton researchers said that the unintended exposure of Facebook data to third parties was not due to a bug in Facebook’s Login feature. “Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” they write.
Third-party code running on websites has long been seen as a potential vulnerability. Major publishers have grappled with outside advertising code, seen as necessary to their bottom lines, at times injecting malware into otherwise innocuous pages. And Grindr, the popular gay dating service, recently apologized for effectively sharing sensitive data like subscribers’ locations and HIV status with outside data analytics providers used to track and optimize its apps.
“Still, there are steps Facebook and other social login providers can take to prevent abuse,” the researchers write. “API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago.”
A Facebook spokesperson did not immediately respond to a request for comment.
Recognize your brand’s excellence by applying to this year’s Brands That Matter Awards before the early-rate deadline, May 3.