The researchers limited their analysis to Facebook Login as it is the most widely used social login method
on the web. However, social login systems from other providers may also be affected, according to them. At the time of the investigation, they found a total of seven third-party tracking scripts (Augur
, ntvk1.ru, OnAudience
) collecting Facebook user data using the website’s first-party access. In most cases, the trackers grab the user ID and, in some cases, additional profile information such as email, user name and gender. The abovementioned scripts were active on 434 of Alexa’s one million most visited websites
.According to the Princeton researchers, third-party trackers embedded in websites wait for a user to log in to the page via Facebook Login. By logging in, the user grants the website access to their Facebook profile data. The trackers then use this first-party access to retrieve profile information from Facebook without the user being informed and without Facebook checking this query again. The retrievable data includes the user ID as well as the email address stored on Facebook and other “public” profile information such as name, age range, gender, locale or profile photo. As a result, third-party trackers can access the same Facebook user data as the first-party provider’s website.
The user IDs collected via the Facebook API are so-called app-scoped user IDs that are assigned to a specific website or application. This is supposed to prevent cross-site or cross-application tracking. However, the app-scoped user ID can be easily used
to retrieve the global Facebook ID, user’s profile photo, and other public profile information. This data enables third parties to identify and track users across websites and devices.