Skip to main content
  1. Home
  2. Social Media
  3. News

Facebook investigating more security vulnerabilities with third-party logins

By

After a whistleblower suggested that many personality quiz apps are designed to track user data, Facebook users have yet another reason to avoid logging in with Facebook credentials. Researchers at Princeton University say lax security could allow third-party platforms to use JavaScript trackers to abuse data on some websites using the “login with Facebook” tool. In a report published on the Freedom to Tinker website hosted by the Center for Information Technology Policy at Princeton Unversity, researchers suggest social login APIs can be abused by third-party scripts through two different vulnerabilities.

The researchers found seven third-party companies accessing Facebook user data through a tool allowing users to log into websites using their Facebook ID. The report suggests that signing in with a social account unknowingly allows the user to trust not just that website, but third-party tools on that same website. 

Recommended Videos

The group found scripts embedded in websites that, when a user logs in with a Facebook account, will access the user ID and, depending on the script, other data like email addresses and even gender. The team wasn’t able to determine just how the information is used, but four of those third-party platforms run what they called a “consumer data platform.” A fifth runs cross-device tracking.

Related

The team managed to find the scripts that caused the vulnerability installed on 434 websites out of the top 1 million sites on the web. One of those sites, MongoDB, a cloud database, has already corrected the script.

The group found fewer instances of the second type of vulnerability, but said that third-party trackers could “deanonymize users.” This type of script was found on Bandsintown, where an iFrame could be used for other websites to embed data from the music platform. The iFrame could pass user data, including identifying data, onto malicious websites accessing that iFrame. Bandsintown says the vulnerability has now been corrected.

The researchers call the vulnerability unintended, but also say that it’s “the lack of boundaries between the first-party and third-party scripts in today’s web,” not because of a bug. Facebook says that they are investigating the report.

The report is just one of the third-party vulnerabilities Facebook is currently investigating. After Cambridge Analytica, the platform is conducting audits on third-party apps using the Facebook API. Both the website scripts and the third-party apps required users to log in with their Facebook credentials.

Editors’ Recommendations

Topics
Hillary K. Grigonis
Hillary K. Grigonis
Former Digital Trends Contributor
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
How to deactivate your Instagram account (or delete it)
A person holding a phone with the Instagram app open on it.

Oh, social media. Sometimes it’s just too much, folks.

If you’re finding yourself in a position where shutting down your Instagram account for a period of time sounds good, the people at Meta have made it pretty simple to deactivate it. It’s also quite easy to completely delete your Instagram, although we wouldn’t recommend this latter option if you plan on returning to the platform at a later date.

Read more
Bluesky finally adds a feature many had been waiting for
A blue sky with clouds.

Bluesky has been making a lot of progress in recent months by simplifying the process to sign up while at the same time rolling out a steady stream of new features.

As part of those continuing efforts, the social media app has just announced that users can now send direct messages (DMs).

Read more
Incogni: Recover your privacy and remove personal information from the internet
Incogni remove your personal data from brokers and more

Everything you do while online is tracked digitally. Often connected to your email address or an issued IP, trackers can easily identify financial details, sensitive information like your social security number, demographics, contact details, like a phone number or address, and much more. In many ways, this information is tied to a digital profile and then collated, recorded, and shared via data brokers. There are many ways this information can be scooped up and just as many ways, this information can be shared and connected back to you and your family. The unfortunate reality is that, for most of us, we no longer have any true privacy.

The problem is exacerbated even more if you regularly use social media, share content or images online, or engage in discussions on places like Reddit or community boards. It's also scary to think about because even though we know this information is being collected, we don't necessarily know how much is available, who has it, or even what that digital profile looks like.

Read more