‘Login with Facebook’ feature allegedly could have exposed your personal data


A new report claims that Facebook user data can be siphoned off via third-party JavaScript libraries (from the likes of advertisers) embedded on sites using the ‘Login with Facebook’ ability.

Facebook has confirmed to TechCrunch that it’s investigating the report, with the serious sounding exploit allegedly capable of hoovering up user data that includes name, gender, age, email address, location and potentially your profile photo.

How many websites might be affected by this problem? According to researchers at Princeton University, some 434 of the top million websites have the dodgy script which is pilfering Facebook user data.

The websites in question include MongoDB, and the vast majority of these sites probably aren’t aware of the issue with the ‘Login with Facebook’ feature. MongoDB certainly wasn’t aware, and after being informed by TechCrunch, it took action and shut the script down.

Facebook has issued a statement to say: “Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”

Of course, this comes at a bad time for Facebook, with its CEO Mark Zuckerberg being questioned by US Senators last week regarding allegations over the misuse of personal data by Cambridge Analytica – and wider concerns which have been raised about Facebook’s data collection policies in general.

Social login isn’t safe?

Rusty Carter, VP of Product Management at Arxan Technologies, commented on the JavaScript affair: “The issue here is not when you go to facebook.com, it's every other website that uses Facebook as a way to login. This confirms what privacy experts have been saying – social login (for example, 'sign in with your Facebook account') is not safe. The convenience for the company and website developer has trumped privacy to date. This has to change.”

He added: “By Facebook allowing unencrypted information into the browser, private information is now available to anything running in that browser, whether that be other trackers, or malicious software (like malware that can conduct man-in-the-middle attacks).

“While open APIs create convenience, applications expected to interact with one another should be secured together. This can be accomplished first by securing the code (obfuscation and runtime protection against tampering) while adding mutual authentication of the applications themselves.”

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).