Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.

2 of 91 comments (clear)

  1. On a similar lane of thought on FB security... by Vegan+Cyclist · · Score: 3, Interesting

    ...how do we know when we're using a legit 'Facebook login' prompt on mobile devices?

    For example, I don't have FB on my mobile, and I've linked my Instagram account to it, but every now and then I get a pop-up asking me to sign into FB. I'm not concerned there, since it's Instagram and they're owned by FB....but there are other apps and games that do the same thing.

    I really have no way of verifying that the prompt is legitimately from FB. It would be trivial to create a game that asks you to tie it to your FB account to 'save data' or 'play against friends', etc, and display the same pop-up, and simply collect your FB credentials.

    That seems like a pretty serious security issue to me....is anything being done to prevent that from happening, or that can verify that the prompt is a legit FB sign-in?

  2. Add Other App Data To The List by AncalagonTotof · · Score: 3, Interesting

    I never creates a Facebook account. The Facebook app is disabled in my phone. But ...
    At our company, I used a test account created by a colleague, for the R&D team. I used it to log in an app under development.
    So far, so good. Or so it seems.
    But after the C.A. scandal, I was curious and downloaded the data Facebook has on this account.

    1) reading the list of known items makes you think that for sure, they know much more than they tell you and give you in this archive

    2) a small detail, but which means a lot : at the end of the profile description, there is something like : "Music: AONE". Now I know Facebook has used our team test account to suck data from my phone because AONE is a little known French metal band. Facebook pulled the information from Jet Audio, the player I use. Facebook got it behind my back, without my consent.

    So, Mr Zuck., stop lying and pretend you know nothing about shadow accounts. Everybody except you knows, really !? You're either a liar or a dumb that has lost control on his company.
    Shut Facebook down for good. The end. May be you'll be allowed to run with the money.

    --
    Totof