Skip to main content
  1. Home
  2. Social Media
  3. Web
  4. News

Facebook investigating more security vulnerabilities with third-party logins

Add as a preferred source on Google

After a whistleblower suggested that many personality quiz apps are designed to track user data, Facebook users have yet another reason to avoid logging in with Facebook credentials. Researchers at Princeton University say lax security could allow third-party platforms to use JavaScript trackers to abuse data on some websites using the “login with Facebook” tool. In a report published on the Freedom to Tinker website hosted by the Center for Information Technology Policy at Princeton Unversity, researchers suggest social login APIs can be abused by third-party scripts through two different vulnerabilities.

The researchers found seven third-party companies accessing Facebook user data through a tool allowing users to log into websites using their Facebook ID. The report suggests that signing in with a social account unknowingly allows the user to trust not just that website, but third-party tools on that same website. 

Recommended Videos

The group found scripts embedded in websites that, when a user logs in with a Facebook account, will access the user ID and, depending on the script, other data like email addresses and even gender. The team wasn’t able to determine just how the information is used, but four of those third-party platforms run what they called a “consumer data platform.” A fifth runs cross-device tracking.

The team managed to find the scripts that caused the vulnerability installed on 434 websites out of the top 1 million sites on the web. One of those sites, MongoDB, a cloud database, has already corrected the script.

The group found fewer instances of the second type of vulnerability, but said that third-party trackers could “deanonymize users.” This type of script was found on Bandsintown, where an iFrame could be used for other websites to embed data from the music platform. The iFrame could pass user data, including identifying data, onto malicious websites accessing that iFrame. Bandsintown says the vulnerability has now been corrected.

The researchers call the vulnerability unintended, but also say that it’s “the lack of boundaries between the first-party and third-party scripts in today’s web,” not because of a bug. Facebook says that they are investigating the report.

The report is just one of the third-party vulnerabilities Facebook is currently investigating. After Cambridge Analytica, the platform is conducting audits on third-party apps using the Facebook API. Both the website scripts and the third-party apps required users to log in with their Facebook credentials.

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
Reddit is ending anonymous browsing on old Reddit, and longtime users are not happy
Reddit's old interface is getting a login requirement, and its long term future looks uncertain.
Reddit

If you have been quietly browsing old.reddit.com without logging in, that option is going away. Reddit just announced it will require everyone to log in to use old.reddit.com, with the change landing sometime over the next month. A Reddit admin broke the news on the platform, calling it part of a push to tighten how automated systems get into the site.

Why is Reddit locking down the old interface?

Read more
TikTok, Instagram, Snapchat, and YouTube are failing kids with broken safety features, research finds
Over half of social media child safety features don't work as advertised.
a boy using iPhone

Social media platforms have spent years telling parents their children are safe online. New research suggests those assurances don't hold up. A report from the Cybersafety Research Center tested 86 child safety features across TikTok, Instagram, Snapchat, and YouTube. Only 35 worked as promised, and the rest were broken, buried in settings, or missing entirely.

Which social media platforms performed the worst on child safety?

Read more
Yet another research proves TikTok injury advice is just downright bad
Your knee should not be taking rehab instructions from viral TikToks
TikTok

We've already heard a lot about the negative impact of social media, like how it keeps kids hooked to screens. But one of its emerging problems is the terrible medical advice being shared on the platform. The platform is often used for new learning dance routines or a new recipe, but it's also being used to share health-related advice from non-professionals.

A new study led by researchers at Université de Montréal has assessed TikTok videos about anterior cruciate ligament rehabilitation exercises, and the result is not exactly reassuring. The team looked at 106 videos found through the search term “ACL rehab exercises,” including 55 posted by ordinary users and 51 posted by health care professionals.

Read more