Latest in Security

Image credit:

Your Facebook data can be snatched by JavaScript trackers

Abusive scripts are snatching data when users log in to websites with Facebook credentials.
David Lumb, @OutOnALumb
April 19, 2018
Share
Tweet
Share

Sponsored Links

shutterstock

Facebook is looking into a security report that reveals Facebook user data can be snatched by JavaScript trackers if they're planted in websites that let users log in with their Facebook credentials. Not just their name and email address, either: The exploit catches age range, gender, locale and possibly a profile photo too, depending on how much access the user allowed said website. Once someone logs in, any third-party JavaScript can supposedly retrieve their info at will.

The report, by Princeton's Center for Information Technology Policy website Freedom to Tinker, listed 431 of the top one million sites (by Alexa rank) that have the shady scripts embedded. The list included cloud database provider MongoDB until TechCrunch brought the issue to their attention, after which they allegedly shut down the abusive script.

"Scraping Facebook user data is in direct violation of our policies," a Facebook spokesperson told Engadget. "While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests."

The report concluded that exposed user data wasn't due to a bug in Facebook's login feature -- instead, it's "due to the lack of security boundaries between the first-party and third-party scripts in today's web." To fix this loophole, the report's authors recommend Facebook (and any other services that have social logins) audit their APIs to review who accesses login data. Cheekily, they also recommend finally making Anonymous Login with Facebook available after it had been announced four years ago.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The Morning After: Amazon Echo (2020) review

The Morning After: Amazon Echo (2020) review

View
What we bought: Our favorite USB-C chargers

What we bought: Our favorite USB-C chargers

View
A massive spam attack is ruining public 'Among Us' games

A massive spam attack is ruining public 'Among Us' games

View
Custom PS5 covers are already a thing

Custom PS5 covers are already a thing

View
NASA works to secure the OSIRIS-REx asteroid sample

NASA works to secure the OSIRIS-REx asteroid sample

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr