Latest in Security

Image credit:

Your Facebook data can be snatched by JavaScript trackers

Abusive scripts are snatching data when users log in to websites with Facebook credentials.
David Lumb, @OutOnALumb
April 19, 2018
Share
Tweet
Share

Sponsored Links

shutterstock

Facebook is looking into a security report that reveals Facebook user data can be snatched by JavaScript trackers if they're planted in websites that let users log in with their Facebook credentials. Not just their name and email address, either: The exploit catches age range, gender, locale and possibly a profile photo too, depending on how much access the user allowed said website. Once someone logs in, any third-party JavaScript can supposedly retrieve their info at will.

The report, by Princeton's Center for Information Technology Policy website Freedom to Tinker, listed 431 of the top one million sites (by Alexa rank) that have the shady scripts embedded. The list included cloud database provider MongoDB until TechCrunch brought the issue to their attention, after which they allegedly shut down the abusive script.

"Scraping Facebook user data is in direct violation of our policies," a Facebook spokesperson told Engadget. "While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests."

The report concluded that exposed user data wasn't due to a bug in Facebook's login feature -- instead, it's "due to the lack of security boundaries between the first-party and third-party scripts in today's web." To fix this loophole, the report's authors recommend Facebook (and any other services that have social logins) audit their APIs to review who accesses login data. Cheekily, they also recommend finally making Anonymous Login with Facebook available after it had been announced four years ago.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
NVIDIA is teasing something big for August 31st

NVIDIA is teasing something big for August 31st

View
'Xbox Series S' console revealed by controller packaging

'Xbox Series S' console revealed by controller packaging

View
'Minecraft: Education Edition' is available on Chromebooks

'Minecraft: Education Edition' is available on Chromebooks

View
Apple’s first watchOS 7 public beta is now available

Apple’s first watchOS 7 public beta is now available

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr