Third-party trackers misuse Facebook Login to collect user data

April 24, 2018By Bjoern Greif

Princeton researchers have identified several tracking scripts that abuse the social login system to access Facebook users’ profile information. These data include user ID, email and user name.

 

Signing in to a web service with your Facebook, Twitter or Google account is quick and easy. With one click you get direct access without having to enter all your data and remember an additional password. But these social login systems are also dangerous. For example, Facebook Login was used for the quiz app that collected user data abused by Cambridge Analytica to influence voters in the US election campaign. Researchers at Princeton University have now pointed out further risks: In addition to the websites you log in to, embedded third-party trackers can also access user information stored on social networks.
 

Third-party trackers abuse first-party access rights

The researchers limited their analysis to Facebook Login as it is the most widely used social login method on the web. However, social login systems from other providers may also be affected, according to them. At the time of the investigation, they found a total of seven third-party tracking scripts (Augur, Forter, Lytics, ntvk1.ru, OnAudience, ProPS, Tealium) collecting Facebook user data using the website’s first-party access. In most cases, the trackers grab the user ID and, in some cases, additional profile information such as email, user name and gender. The abovementioned scripts were active on 434 of Alexa’s one million most visited websites.According to the Princeton researchers, third-party trackers embedded in websites wait for a user to log in to the page via Facebook Login. By logging in, the user grants the website access to their Facebook profile data. The trackers then use this first-party access to retrieve profile information from Facebook without the user being informed and without Facebook checking this query again. The retrievable data includes the user ID as well as the email address stored on Facebook and other “public” profile information such as name, age range, gender, locale or profile photo. As a result, third-party trackers can access the same Facebook user data as the first-party provider’s website.

 

(Icons from the Noun Project: computer tower by Melvin, Female by SBTS, javascript file by Adnen Kadri, click by Aybige)

(Icons from the Noun Project: computer tower by Melvin, Female by SBTS, javascript file by Adnen Kadri, click by Aybige)

The user IDs collected via the Facebook API are so-called app-scoped user IDs that are assigned to a specific website or application. This is supposed to prevent cross-site or cross-application tracking. However, the app-scoped user ID can be easily used to retrieve the global Facebook ID, user’s profile photo, and other public profile information. This data enables third parties to identify and track users across websites and devices.

 

Deanonymization of users via Facebook Login

The Princeton researchers point out another problem with Facebook Login: A third-party tracker can abuse the login system using an invisible iFrame, which is injected into the website by the tracking script, to retrieve Facebook data and thus de-anonymize users. The following figure illustrates how this works:

(Icons from the Noun Project: computer tower by Melvin, Female by SBTS, javascript file by Adnen Kadri, click by Aybige)

(Icons from the Noun Project: computer tower by Melvin, Female by SBTS, javascript file by Adnen Kadri, click by Aybige)

As an example, the researchers cite Bandsintown, which operates both a music-related website and an advertising service. Via Facebook Login on their website, Bandsintown first obtained the necessary authentication tokens to retrieve Facebook user data. Their advertising script, embedded on many popular lyrics sites, added an invisible iFrame to these pages. This iFrame used the previously received tokens to grab Facebook user IDs and then passed them back to the embedding script. Through this detour, Bandsintown was able to track and de-anonymize users for targeted advertising.

 

Missing security restrictions for third-party trackers

The data protection researchers emphasize that this “unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web.”

Still, Facebook and other social login providers could do a lot to prevent abuse: First, they could audit API use to retrieve how, where, and which parties are accessing social login data. Second, Facebook could prevent profile picture and global Facebook ID from being looked up by app-scoped user IDs. Last but not least, Facebook could finally introduce its Anonymous Login system announced almost four years ago, which does not pass on any personal user data.

Instead of waiting for providers like Facebook to improve privacy, you should take the initiative to protect yourself from being tracked online. One proven means are anti-tracking tools such as Ghostery or Cliqz, which are available for free download.