×

Facebook users' data exposed to web trackers when using its login feature for other sites: Report

  • When a user logs into a website using Facebook's login API, third-party trackers embedded on that site are able to collect that user's data, researchers found.
  • BandsInTown, a concert tracking website, was found to be passing on users' public profile data to other websites.
  • The fault does not lie with Facebook, the researchers said, but more can be done by Facebook and other social login providers to prevent abuse.
The Facebook logo is seen on an Apple iPhone.
Jaap Arriens | NurPhoto | Getty Images
The Facebook logo is seen on an Apple iPhone.

If you've logged into a website or app using the "login with Facebook" feature, your data could have been exposed to third-party trackers.

Web trackers are exploiting websites' access to Facebook user data, according to a security research report by Steven Englehardt and two other researchers at Freedom to Tinker, a blog hosted by Princeton University's Center for Information Technology Policy.

The study showed that when a user logs into a website using Facebook's login application programming interface (API) — which lets people sign into an external app or website without having to create an account — third party JavaScript trackers embedded on that site are then able to collect data on the user's public profile and email address. JavaScript is the programming language used for web pages.

The research did not explain how these trackers used the data collected from Facebook users but said that some of their parent companies collect data to help publishers monetize their users.

"Scraping Facebook user data is in direct violation of our policies," a Facebook spokesperson said in an emailed statement. "While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests."

BandsInTown, a concert tracking website that notifies users of when a band they like is playing near them, was found to be passing on users' public profile data to other websites. If a user that signs into BandsInTown with Facebook then visits a website using Bandsintown's Amplified advertising product, that user inadvertently shares their Facebook ID with the site, researchers said. Public profile data can include a user's name, age, gender, location and profile picture.

"BandsInTown does not disclose unauthorized data to third parties and upon receiving an email from a researcher presenting a potential vulnerability in a script running on one of our platforms, we quickly took the appropriate actions to resolve the issue in full," a spokesperson for the company said in an emailed statement. "We value the privacy of our users and are committed to meeting the highest possible security standards."

The fault does not lie with Facebook, the researchers said, but more can be done by Facebook and other social login providers to prevent abuse.

Dating app Bumble recently said it will let users sign into its service without having to have a Facebook account.

Facebook has been embroiled in controversy over how it treats user privacy since it was revealed that 87 million users' data was shared without their permission to a political data analytics firm Cambridge Analytica. Cambridge Analytica disputes this figure, however, and maintains that 30 million users had their data shared. The firm also denies any wrongdoing.

Facebook CEO Mark Zuckerberg testified before Congress last week to address the scandal, and the company's CTO Mike Schroepfer will appear before U.K. lawmakers later this month.