Slashdot Mirror
'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Facebook has magnified the consequences of poorly placed trust far beyond most anyone's worst nightmares.
I never fell for the idiocy of Facebook myself, so all the suckers and chumps who did are just fools who provide me with a reason to laugh derisively.
Thanks for the laughs, you dumb fucks.
I hear Oracle is trying to sue anyone publishing JavaScript because they own the trademark "JavaScript". Lawsuit fear may finally end the organic mess of JavaScript floating around. Okay, I'm only dreaming.
Table-ized A.I.
#deletefacebook
(meme from Twitter, and maybe that too) For anyone who cares the path is clear. If you don't care, do nothing and quityerbitchin.
Do, or do not. There is no try.
"National Security is the chief cause of national insecurity." - Celine's First Law
Suck it Traitorberg!
Where is the exploit here? How is it surprising or concerning that if I give a company access to my data, they might use third-party SAAS to process my data? Is the endgame of this hysteria a complete ban on SAAS?
Either the press has turned against them, they are the new Microsoft Evil Empire, or they are just real assholes, but there is a new "Facebook is Evil as Fuck - New Assrape Code" story every day!
I don't do Facebook!
Just you wait until they get around to auditing the banner ads.
You are right! Not to mention anywhere they had access to a live mic.
Here is the real problem:
After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”
You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????
What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.
Always felt it to be highly invasive, potentially insecure. The LAST thing I want, is to sign in to bloody sites with Facebook credentials.
So, moral of the story is to never sign into Facebook outside of a single sandboxed browser instance which can't reach the rest of your system.
I know, some people are going to shorten that down just to "never sign into Facebook"...
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????
What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.
The Slashdot page you are on right now runs scripts from nine domains totaling several thousand lines of executable code and a couple thousand other lines for formatting and data.
Dozens of people could make changes to any part of this common framework of frameworks and Slashdot proper wouldn't know any different. It would take weeks to review it all and by the time that was done, something would have changed.
Welcome to that web 2.0 all the old "luddites" of Slashdot warned about for years.
Yeah, it's not like embedding 3rd-party advertising script code with FULL ACCESS to the main site's data has been a thing since forever.
Can we now get web browsers to block all 3rd-party scripts by default? Please?
Goatse for you
Table-ized A.I.
...how do we know when we're using a legit 'Facebook login' prompt on mobile devices?
For example, I don't have FB on my mobile, and I've linked my Instagram account to it, but every now and then I get a pop-up asking me to sign into FB. I'm not concerned there, since it's Instagram and they're owned by FB....but there are other apps and games that do the same thing.
I really have no way of verifying that the prompt is legitimately from FB. It would be trivial to create a game that asks you to tie it to your FB account to 'save data' or 'play against friends', etc, and display the same pop-up, and simply collect your FB credentials.
That seems like a pretty serious security issue to me....is anything being done to prevent that from happening, or that can verify that the prompt is a legit FB sign-in?
I'll give you 3 ad-free FaceBook accounts if you keep quiet about this.
Table-ized A.I.
You wouldn't expect it for a database company, but Mongodb source code is surprisingly bad. The whole thing is just hacked together. It's not surprising that they don't know what's on their website.
"First they came for the slanderers and i said nothing."
I never creates a Facebook account. The Facebook app is disabled in my phone. But ...
At our company, I used a test account created by a colleague, for the R&D team. I used it to log in an app under development.
So far, so good. Or so it seems.
But after the C.A. scandal, I was curious and downloaded the data Facebook has on this account.
1) reading the list of known items makes you think that for sure, they know much more than they tell you and give you in this archive
2) a small detail, but which means a lot : at the end of the profile description, there is something like : "Music: AONE". Now I know Facebook has used our team test account to suck data from my phone because AONE is a little known French metal band. Facebook pulled the information from Jet Audio, the player I use. Facebook got it behind my back, without my consent.
So, Mr Zuck., stop lying and pretend you know nothing about shadow accounts. Everybody except you knows, really !? You're either a liar or a dumb that has lost control on his company.
Shut Facebook down for good. The end. May be you'll be allowed to run with the money.
Totof
Facebook may be evil, but I don't understand why we blame Facebook for this "exploit".
The user grants Website X permission to use their Facebook data. Website X obtains that data. Website X subsequently runs a malicious script on their own website which harvests that data.
Wouldn't this be, like, the fault of Website X?
Yeah, it's not like embedding 3rd-party advertising script code with FULL ACCESS to the main site's data has been a thing since forever.
Can we now get web browsers to block all 3rd-party scripts by default? Please?
Yes we can!
Well, I can. I’m still, after all these years, a bit shocked that not everyone uses even ad-blockers, let alone script blockers. A browser that automatically blocked all ads, beacons, scripts, etc, etc, would be nice, I suppose, but haven’t we dumbed-down the internet enough already? As it is, we have to put up with two-factor authentication because some people are too fuckin’ lazy to use password managers, and now they want us to hand over our phone numbers, too.
Personally, I think it’s smarter to be in charge of your own privacy, rather than trust that ten million different web sites will do it for you. I’m certainly not going to trust that these mega-corporations, whose sole business is selling ads, will do it for us. Install ad-blockers, Ghostery, and No Script, get a password manager and start using good, unique, passwords, and don’t use your real name online. Oh, and never use the credentials of one site to log into another. It’s not that hard.
-- sudon't
Air-ride Equipped
Websites can always contain malicious code..... This should have from the start been designed so:
When a form element contains a PASSWORD field:
1. The page displaying the form data needs to have been received over HTTPS with the same hostname that the POST operation will send the form to, and the form needs to be contained in the HTML; The browser should provide unique UI presentation for Password fields and normal Text fields, so it should not be possible for a JavaScript to "add a custom password field later" or change a normal Text field to look like password field after capturing data.
2. When a password field is added using HTML, the Element's type becomes read-only, and the Form Post target URL becomes read-only.
3. The Element's value becomes Write-Only. Javascript can SET the value of a password textbox or POST the form to the locked target URL, but cannot read the value, nor receive any keystroke events for the Textbox or the overall webpage.
You're right, but there's more ... why do we allow third party scripts by default? Oh, wait, because ad companies control the internet and whine if anybody tries to make it safer.
So, you hit a website, it pulls in javascript from god knows where (including Facebook), it all runs and does stuff you have no idea about, and someone has figured out they can exploit other things because you're now running stuff from multiple parties.
This is why I whitelist javascript and cookies, block the shit out of third parties I don't need, give up on sites which require third party shit to work.
The default position of browsers has to change from "hey, join the party, run all the scripts and plugins you want", and move towards "who the fuck are you and why would I let you run code?"
So, yeah, not only does Facebook track you using this exact same mechanism, but since other sites are stupid enough to allow Facebook to be a login mechanism, and then yet another internet parasite can exploit that.
This was pretty much inevitable. This is why I don't trust third parties, and don't trust Facebook. Because if you're not blocking this shit, your privacy and security are in the hands of whatever random asshole a site links to so that your machine can run that code and do whatever it wishes.
This is a case where people like me have been saying for literally years that the trust relationship of the internet is entirely backwards, and the practice of cross linking to a bunch of external sites to drive ad revenue and other pointless shit is making it even worse.
You have no idea what all those embedded javascript things are doing, you sure as fuck never agreed to it, you definitely have never seen a TOS ... but what you've seen is a site whose TOS says "we're going to let other people do stuff to your computer so we get money".
Fuck that, it's really time we started treating web sites like we don't trust them by default, and third party shit not at all. Because over and over again we see these third parties being the source of security and privacy issues.
Here is the real problem:
After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”
You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????
What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.
Come on, man. Have you looked at modern websites? They include a shitload of scripts. Slashdot is trying to load 17. Seventeen! Do you really think someone at slashdot went out and read the code behind every one of those scripts in order to understand them? Do you think when a third party script is updated that the original site even is AWARE and looks at the updated code. If you're going to use third party scripts (for example a facebook login) on your website, you've already given up control of your website. At that point you're just playing "trust me" with the owners of those scripts.
I am not saying it's a good or right situation but almost every website on the internet does things this way.
Actually, I misspoke. Slashdot is trying to load 62 scripts from 17 unique domains. My point remains the same, I would bet a shitcoin that slashdot's human overlords is not intimately familiar with every script. It's just dumb luck (and probably a matter of time) that any given website wasn't included in this particular scandal while this madness continues.
If you use your Facebook account like a garbage can, to contain all the trash generated as a result of the privilege to log automatically with Facebook into some sites, the bad guys will only get garbage. That's what Facebook is good for. From my account, the bad guys will have obtained fake names, phone numbers, email addresses - and an untold and unknown - to me - amount of spam. Enjoy the junk, hackers.
I've been railing against javascript for 20 years.
But the real problem is not javascript, but rather browsers and OSes that allow javascript access to that data on our computers.
Yes, we probably need a separate OS container for each website we use if we want some degree of safety.
But, facebork, et al, have our data (not mine- I don't use them) on their servers, and that data is being traded, sold, and stolen, so no matter how much we protect our own computers, there's nothing we can do about the server end.
Some day the US congress needs to wake up, do its actual job of representing We The People, and pass extremely strong criminal laws regarding our data privacy. I'd like to see a nationwide referendum.
One is obviously a bad idea. The other is just stupid.
Old Luddite here. I told you (everyone) so. Look at my couple of original posts.
I learned of all of this quite by accident. 20 years ago I discovered Opera browser. In those days I had dial-up connections, and generally don't have the fastest broadband, so I've always cared about how fast a page loads. In those early days Opera would crash often, and I discovered 2 major things: if I disabled javascript, 1) pages loaded (often much) faster, 2) browser didn't crash.
Old Opera (versions 0 - 12.x) has always had lots of good per-site blocking, per-site cookie handling, per-site javascript / plugin control, etc. I would, and still run Old Opera, with javascript globally OFF, and enabled only for a few sites I'm reluctantly willing to allow it.
Of course we all know that more and more websites barely work, if at all, without javascript, so now we have to be bogged down teaching plugins like uMatrix, but at least we can get some control back.
To clarify my stance, I don't hate javascript, rather I'm troubled by the access it has to our computers' files.
Marketing departments mandate all kinds of tracking services without vetting them with security or IT. Security usually bitches about it and it seriously slows the site down but it gets rammed through..."what could go wrong?" Essentially you place a snippet of javascript on your page that pulls down whatever code the tracking company deploys. It's like a box of chocolates...
I object to power without constructive purpose. --Spock
"The Slashdot page you are on right now runs scripts from nine domains "
Not on my computers.
I object to power without constructive purpose. --Spock
NoScript. ...and just in case....a big, fat HOSTS file.
I object to power without constructive purpose. --Spock
The experience of obtaining that data from your friend is yours and nobody has the right to take it away from you. And they won't do it, unless our society decides it appropriate to use force to damage your brain.
If "privacy" is ever protected to quite the degree that some people are advocating (e.g. the right to be forgotten) then it will have to come with the downside of degrading human dignity, by insisting people pretend they don't know things they know (i.e. cause a festing mess that always arises from a web of lies, "oh, I forgot that I was pretending I didn't know that!") or actually doing it (either through some sci-fi memory wipe, or just putting a bullet through their head). All solutions to that are horrible. Letting people keep their experiences and acknowledging that learning things about other people is a part of life is the only approach I have ever heard that I don't totally hate.
If your identity can be stolen by people knowing your mother's maiden name, first pet, street you grew up on, etc, then your identity is a fragile thing indeed. If anyone issues credit in your name to someone who knows those things, then that creditor is irresponsibly negligent to a comical degree, and they deserve to lose their money, and it's not your fault. They should have checked to make sure they were giving the money to you instead of just some random person who happened to know a few bits of trivia.
If the law pretends it's your fault, then the law is at fault. We either have to live with unjust laws or do something about them. It's up to us.
Some of your friends do know your mother's maiden name, first pet, street you grew up on. They really do. They should. They were there! It was their life too! Therefore, those things do not authenticate you. (And other people, who aren't so friendly, also know those things. I know those facts about people I haven't seen in decades, with whom I no relationship at all.)
We need to stop pretending this information is sensitive, and stop trying to bend over backwards to create fake privacy rights. All in the name of making bankers' jobs easier, so they don't have to authenticate people, really? Think about what you're going to get out of this sacrifice.
With that in mind, I reject all arguments based on the premise that it's "important information." Treating it as though this trivia is important, is the real problem here.
It really pisses me off that this is lumped into "privacy." People are worrying about keeping it easy for bankers to issue credit without checking to see who they're giving money to, and yet your own family communications aren't even encrypted yet. Instead of worrying about facebook, where's my non-sucky phone that I can plug into the home OTP server when I'm charging it? Good fucking grief.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.