Using Facebook to login to certain websites may open you up to data theft attacks if those sites also employ particular Javascript trackers. Although the vast majority of sites that were found to contain the malicious trackers are relatively small operations, there are also quite a few that enjoy millions of regular visitors. Some of them are even in the top few hundred sites in the world for overall traffic.
This news first came to light as part of a report from the Princeton’s Center for Information Technology Policy website, Freedom to Tinker. It highlighted that the vulnerability allowed third parties to piggyback the Facebook login process to scrape usernames, email addresses, age ranges, genders, relative locations, and possibly even profile photos, as per Engadget.
In total the report cited seven different scripts that were collecting user data using the Facebook access system. Those scripts were found in 434 of the top one million websites as ranked by Alexa. Some sites have responded to the news by disabling and removing the offending scripts, though many others are still susceptible to this particular exploit.
“Scraping Facebook user data is in direct violation of our policies,” a
The report does suggest, however, that although Facebook could take steps to prevent this exploit from being viable — such as the previously announced anonymous login feature — that this problem was more of an indication of security problems in modern web standards, than
Although the report authors admit that they don’t know how the scraped data is being used, this comes at a very poor time for Facebook. It is already embroiled in a scandal surrounding the harvesting of user data by companies like Cambridge Analytica, which purportedly used it for politically targeted adverts during a number of electoral campaigns over the past few years. Mark Zuckerberg even had to testify to Congress over the matter.
With the impending implementation of the GDPR, reports like this do little to curb fears of Facebook security and handling of personal data.