‘Third-party scripts collect data and track users via Facebook Login’




According to Freedom to Tinker researchers, a small percentage of the most popular 1 million websites have third-party scripts that collect data and track users via the function to log in with Facebook. It would be seven parties.

The researchers, including Steven Englehardt of Mozilla who conducted the research in the context of his Princeton Ph.D., report that they have identified a total of 434 sites on which these parties are active. According to them, they have found two kinds of ‘vulnerabilities’. The first is that scripts from the third parties use the access of the site itself to the login data via Facebook Login. The second has to do with trackers eliminating the anonymity of visitors to serve targeted advertisements. It would not be a bug within the Facebook Login function, but the researchers state that there is too little separation between scripts from the site itself and those from third parties. They write: “If we trust a website with our social media information, we also trust third parties that are embedded on that site.”

Facebook Login makes it possible to log in to a site without having to create a new account. In the first case, in the collection of data, according to the researchers, in most cases it concerns user IDs. These are unique to each site, but give access to the more general Facebook ID, which in turn provides information about the public profile of the user. In other cases, the parties also collect the e-mail address and in one case the gender. The researchers state that they are not sure how the data will be used by the parties, but on the basis of marketing material it would appear that most offer monetization of users.

Party Script address Collected data
OnAudience http://api.behavioralengine.com/scripts/be-init.js User ID (hashed),
Email (hashed), Gender
Augur https://cdn.augur.io/augur.min.js Email, Username
Lytics https://c.lytics.io/static/io.min.js (loaded via OpenTag) User ID
ntvk1.ru https://p1.ntvk1.ru/nv.js User ID
ProPS http://st-a.props.id/ai.js User ID (has code to collect more)
Tealium http://tags.tiqcdn.com/utag/ipc/[*]/prod/utag.js User ID
Forter https://cdn4.forter.com/script.js?sn=[*] User ID
Table of Freedom to Tinker, OnAudience would have stopped by now.

The researchers also describe details of their second finding, which is about tracking users. They call the example of the site Bandsintown.com, which allows users to follow specific artists, provided they log in with Facebook. The site has its own advertising service, which can also be found on other music websites in the form of an iframe. The login function allows Bandsintown to access visitors’ Facebook authentication tokens, which the other websites with the advertising service can then use to retrieve the Facebook ID of visitors and track them that way. Bandsintown has now taken measures.

Facebook could counter this kind of practice by preventing the search of user profiles on the basis of site-specific IDs, according to the researchers. In addition, the company could look more closely at its API to find out in which ways the login details are used. Another option is to enter anonymous logins, which the company announced in 2014 but would not have made available yet. Facebook tells TechCrunch that it is looking at the claims of the researchers. The researchers published an overview of the aforementioned sites on GitHub.


In: A Technology & Gadgets Asked By: [22050 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »