Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.

3 of 91 comments (clear)

  1. Re:Why is this a surprise? by Anonymous Coward · · Score: 2, Informative

    You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

    What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

    The Slashdot page you are on right now runs scripts from nine domains totaling several thousand lines of executable code and a couple thousand other lines for formatting and data.

    Dozens of people could make changes to any part of this common framework of frameworks and Slashdot proper wouldn't know any different. It would take weeks to review it all and by the time that was done, something would have changed.

    Welcome to that web 2.0 all the old "luddites" of Slashdot warned about for years.

  2. Re: Oracle will fix that by tomhath · · Score: 3, Informative

    Why is JavaScript called "JavaScript" in the first place?

    Marketing hype left over from when Sun was pushing Java as the solution to everything.

  3. Re:Why is this a surprise? by kelemvor4 · · Score: 5, Informative

    Here is the real problem:

    After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

    You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

    What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

    Come on, man. Have you looked at modern websites? They include a shitload of scripts. Slashdot is trying to load 17. Seventeen! Do you really think someone at slashdot went out and read the code behind every one of those scripts in order to understand them? Do you think when a third party script is updated that the original site even is AWARE and looks at the updated code. If you're going to use third party scripts (for example a facebook login) on your website, you've already given up control of your website. At that point you're just playing "trust me" with the owners of those scripts.

    I am not saying it's a good or right situation but almost every website on the internet does things this way.