'Third-party scripts collect data and track users via Facebook Login'

According to Freedom to Tinker researchers, a small percentage of the most popular 1 million websites have third-party scripts that collect data and track users via the function to log in with Facebook. It would involve seven parties.

The researchers, including Steven Englehardt of Mozilla who conducted the research in the context of his Princeton PhD, report that they have identified a total of 434 sites where these parties are active. According to them, they have found two types of ‘vulnerabilities’. The first is that scripts from the third parties use the access of the site itself to the login data via Facebook Login. The second has to do with trackers eliminating the anonymity of visitors to serve targeted advertisements. It would not be a bug within the Facebook Login function, but the researchers state that there is too little separation between the scripts of the site itself and those of third parties. They write: “If we trust a website with our social media information, we also trust third parties who are embedded on that site.”
Facebook Login makes it possible to log in to a site without to create a new account. In the first case, in the collection of data, according to the researchers, in most cases it concerns user IDs. These are unique to each site, but give access to the more general Facebook ID, which in turn provides information about the public profile of the user. In other cases, the parties also collect the e-mail address and in one case the gender. The researchers state that they are not sure how the data will be used by the parties, but on the basis of marketing material it would appear that most monetization offer users.
The researchers also describe details of their second finding, which is about tracking users. They call the example of the site Bandsintown.com, which allows users to follow specific artists, provided they log in with Facebook. The site has its own advertising service, which can also be found on other music websites in the form of an iframe. The login function gives Bandsintown access to visitors’ Facebook authentication tokens, which the other websites with the advertising service can then use to retrieve the Facebook ID of visitors and track them that way. Bandsintown has now taken measures.
Facebook could counteract this kind of practice by preventing the search of user profiles on the basis of site-specific IDs, according to the researchers. In addition, the company could look more closely at its API to find out in which ways the login details are used. Another option is to enter anonymous logins, which the company announced in in 2014 but would not yet have made it available. Facebook tells to TechCrunch that it is looking at the claims of the researchers. The researchers published a overview of the aforementioned sites on GitHub.