Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.

12 of 91 comments (clear)

  1. Oracle will fix that by Tablizer · · Score: 3, Funny

    I hear Oracle is trying to sue anyone publishing JavaScript because they own the trademark "JavaScript". Lawsuit fear may finally end the organic mess of JavaScript floating around. Okay, I'm only dreaming.

    --
    Table-ized A.I.
    1. Re: Oracle will fix that by tomhath · · Score: 3, Informative

      Why is JavaScript called "JavaScript" in the first place?

      Marketing hype left over from when Sun was pushing Java as the solution to everything.

  2. Huh? Exploit? by Anonymous Coward · · Score: 2, Insightful

    Where is the exploit here? How is it surprising or concerning that if I give a company access to my data, they might use third-party SAAS to process my data? Is the endgame of this hysteria a complete ban on SAAS?

  3. Re:I'm laughing my ass off !!! by PPH · · Score: 2

    I never fell for the idiocy of JavaScript.

    --
    Have gnu, will travel.
  4. Re:Why is this a surprise? by rudy_wayne · · Score: 4, Insightful

    Here is the real problem:

    After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

    You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

    What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

  5. Never used this feature once by AbRASiON · · Score: 4, Insightful

    Always felt it to be highly invasive, potentially insecure. The LAST thing I want, is to sign in to bloody sites with Facebook credentials.

  6. Re:Why is this a surprise? by _Sharp'r_ · · Score: 2

    So, moral of the story is to never sign into Facebook outside of a single sandboxed browser instance which can't reach the rest of your system.

    I know, some people are going to shorten that down just to "never sign into Facebook"...

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  7. Re:Why is this a surprise? by Anonymous Coward · · Score: 2, Informative

    You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

    What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

    The Slashdot page you are on right now runs scripts from nine domains totaling several thousand lines of executable code and a couple thousand other lines for formatting and data.

    Dozens of people could make changes to any part of this common framework of frameworks and Slashdot proper wouldn't know any different. It would take weeks to review it all and by the time that was done, something would have changed.

    Welcome to that web 2.0 all the old "luddites" of Slashdot warned about for years.

  8. On a similar lane of thought on FB security... by Vegan+Cyclist · · Score: 3, Interesting

    ...how do we know when we're using a legit 'Facebook login' prompt on mobile devices?

    For example, I don't have FB on my mobile, and I've linked my Instagram account to it, but every now and then I get a pop-up asking me to sign into FB. I'm not concerned there, since it's Instagram and they're owned by FB....but there are other apps and games that do the same thing.

    I really have no way of verifying that the prompt is legitimately from FB. It would be trivial to create a game that asks you to tie it to your FB account to 'save data' or 'play against friends', etc, and display the same pop-up, and simply collect your FB credentials.

    That seems like a pretty serious security issue to me....is anything being done to prevent that from happening, or that can verify that the prompt is a legit FB sign-in?

  9. Add Other App Data To The List by AncalagonTotof · · Score: 3, Interesting

    I never creates a Facebook account. The Facebook app is disabled in my phone. But ...
    At our company, I used a test account created by a colleague, for the R&D team. I used it to log in an app under development.
    So far, so good. Or so it seems.
    But after the C.A. scandal, I was curious and downloaded the data Facebook has on this account.

    1) reading the list of known items makes you think that for sure, they know much more than they tell you and give you in this archive

    2) a small detail, but which means a lot : at the end of the profile description, there is something like : "Music: AONE". Now I know Facebook has used our team test account to suck data from my phone because AONE is a little known French metal band. Facebook pulled the information from Jet Audio, the player I use. Facebook got it behind my back, without my consent.

    So, Mr Zuck., stop lying and pretend you know nothing about shadow accounts. Everybody except you knows, really !? You're either a liar or a dumb that has lost control on his company.
    Shut Facebook down for good. The end. May be you'll be allowed to run with the money.

    --
    Totof
  10. Re:Why is this a surprise? by kelemvor4 · · Score: 5, Informative

    Here is the real problem:

    After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

    You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

    What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

    Come on, man. Have you looked at modern websites? They include a shitload of scripts. Slashdot is trying to load 17. Seventeen! Do you really think someone at slashdot went out and read the code behind every one of those scripts in order to understand them? Do you think when a third party script is updated that the original site even is AWARE and looks at the updated code. If you're going to use third party scripts (for example a facebook login) on your website, you've already given up control of your website. At that point you're just playing "trust me" with the owners of those scripts.

    I am not saying it's a good or right situation but almost every website on the internet does things this way.

  11. Re:Why is this a surprise? by kelemvor4 · · Score: 2

    Actually, I misspoke. Slashdot is trying to load 62 scripts from 17 unique domains. My point remains the same, I would bet a shitcoin that slashdot's human overlords is not intimately familiar with every script. It's just dumb luck (and probably a matter of time) that any given website wasn't included in this particular scandal while this madness continues.