[*]
According to Freedom to Tinker researchers, a small percentage of the most popular 1 million websites have third-party scripts that collect data and track users through the Facebook login feature. It would be seven games.
The researchers, including Steven Englehardt of Mozilla who conducted the research as part of his Princeton PhD, report that they have identified a total of 434 sites where these parties are active. They say they have found two types of ‘vulnerabilities’. The first consists of third-party scripts leveraging the site’s own access to login credentials via Facebook Login. The second has to do with trackers removing the anonymity of visitors in order to serve them targeted advertisements. It would not be a bug within the Facebook Login function, but the researchers argue that there is too little separation between scripts from the site itself and those of third parties. They write, “When we trust a website with our social media information, we also trust third parties embedded on that site.”
Facebook Login allows you to login to a site without having to create a new account. In the first case, when collecting data, in most cases, according to the researchers, it concerns user IDs. These are unique to each site, but give access to the more general Facebook ID, which in turn provides information about the user’s public profile. In other cases, the parties also collect the email address and in one case the gender. The researchers state that they are not sure how the data will be used by the parties, but marketing materials would indicate that most offer monetization of users.
Party | Script Address | Collected data |
OnAudience | http://api.behavioralengine.com/scripts/be-init.js | UserID (hashed), Email (hashed), Gender |
Augur | https://cdn.augur.io/augur.min.js | Email, Username |
Lytics | https://c.lytics.io/static/io.min.js (loaded via OpenTag) | User ID |
ntvk1.ru | https://p1.ntvk1.ru/nv.js | User ID |
ProPS | http://st-a.props.id/ai.js | User ID (has code to collect more) |
tealium | http://tags.tiqcdn.com/utag/ipc/[*]/prod/utag.js | User ID |
forter | https://cdn4.forter.com/script.js?sn=[*] | User ID |
Table of Freedom to Tinker, OnAudience would have stopped by now.
The researchers also detail their second finding, which deals with user tracking. They cite the example of the site Bandsintown.com, which lets users follow certain artists, provided they log in with Facebook. The site has its own advertising service, which can also be found on other music websites in the form of an iframe. Through the login function, Bandsintown has access to visitors’ Facebook authentication tokens, which the other websites with the advertising service can then use to find out the Facebook ID of visitors and thus track them. Bandsintown has meanwhile taken measures.
Facebook could counteract this kind of practice by banning user profile lookups using site-specific identifiers, the researchers said. In addition, the company could look more closely at its API to find out how the login data is used. Another option is to enter anonymous logins, which the company announced in 2014 but hasn’t made available yet. Facebook informs TechCrunch that it is looking at the claims of the researchers. The researchers have published an overview of the aforementioned sites on GitHub.