Skip to main content

Facebook investigating more security vulnerabilities with third-party logins

After a whistleblower suggested that many personality quiz apps are designed to track user data, Facebook users have yet another reason to avoid logging in with Facebook credentials. Researchers at Princeton University say lax security could allow third-party platforms to use JavaScript trackers to abuse data on some websites using the “login with Facebook” tool. In a report published on the Freedom to Tinker website hosted by the Center for Information Technology Policy at Princeton Unversity, researchers suggest social login APIs can be abused by third-party scripts through two different vulnerabilities.

The researchers found seven third-party companies accessing Facebook user data through a tool allowing users to log into websites using their Facebook ID. The report suggests that signing in with a social account unknowingly allows the user to trust not just that website, but third-party tools on that same website. 

The group found scripts embedded in websites that, when a user logs in with a Facebook account, will access the user ID and, depending on the script, other data like email addresses and even gender. The team wasn’t able to determine just how the information is used, but four of those third-party platforms run what they called a “consumer data platform.” A fifth runs cross-device tracking.

The team managed to find the scripts that caused the vulnerability installed on 434 websites out of the top 1 million sites on the web. One of those sites, MongoDB, a cloud database, has already corrected the script.

The group found fewer instances of the second type of vulnerability, but said that third-party trackers could “deanonymize users.” This type of script was found on Bandsintown, where an iFrame could be used for other websites to embed data from the music platform. The iFrame could pass user data, including identifying data, onto malicious websites accessing that iFrame. Bandsintown says the vulnerability has now been corrected.

The researchers call the vulnerability unintended, but also say that it’s “the lack of boundaries between the first-party and third-party scripts in today’s web,” not because of a bug. Facebook says that they are investigating the report.

The report is just one of the third-party vulnerabilities Facebook is currently investigating. After Cambridge Analytica, the platform is conducting audits on third-party apps using the Facebook API. Both the website scripts and the third-party apps required users to log in with their Facebook credentials.

Editors' Recommendations

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
All AMD processors since 2011 have had a security vulnerability
Fingers holding an AMD Ryzen 9 3900X.

Coming on the heels of recent news that there is an unfixable vulnerability in Intel processors from the last five years, security researchers have identified a vulnerability in AMD processors from the last nine years as well.

A paper by researchers from the Graz University of Technology, first reported on by Tom's Hardware, describes two attacks, Collide+Probe and Load+Reload, which are a subset of the "Take A Way" vulnerability and are based on a Spectre attack. The vulnerability is found in all AMD processes released between 2011 and 2019, including the Zen microarchitecture.

Read more
More than Bloomberg: Facebook OKs influencers working with political campaigns
michael bloomberg big tech breakup nasty mike

If this week had a theme, that theme would be sponsored content. 

On Wednesday, presidential hopeful Michael Bloomberg teamed up with over two dozen highly influential Instagram accounts, with more than 60 million followers in total, to drop sponsored political memes. It sent shockwaves throughout social media until the New York Times reported it was all part of a project called Meme2020. The move also posed the question of what the future of elections may look like. 

Read more
The Off-Facebook Activity tool lets you take control of your shared data
fbi wants social media data facebook app mem2

Facebook is hoping to be more transparent about your data and activity by expanding a new privacy feature to the U.S. and the rest of the world. 

The new feature is called the Off-Facebook Activity tool, which was previously only available to people in Spain, Ireland, and South Korea. Facebook CEO Mark Zuckerberg announced the worldwide feature rollout on Tuesday, January 28, which is appropriately Data Privacy Day. 

Read more