Third-parties abusing 'Facebook Login' to steal users' data: Report
San Francisco, April 19: Several third-party trackers are abusing Facebook Login, exfiltrating users' data including name, email address, age range, gender, locale and profile photo, a new security research report has claimed.
The unintended exposure of Facebook data to third party JavaScript trackers is not owing to a bug in Facebook's Login feature.
"Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," said the report prepared by Steven Englehardt, Gunes Acar and Arvind Narayanan, researchers at Freedom to Tinker -- a digital initiative by Princeton University's Center for Information Technology Policy.
"We report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through "login with Facebook" and other such social login APIs," the trio wrote.
Meanwhile, Facebook told the technology website TechCrunch that they were investigating into the security research report.
The researchers found two types of vulnerabilities: Seven third parties abusing websites' access to Facebook user data and one third party using its own Facebook "application" to track users around the web.
British political consultancy firm Cambridge Analytica was found misusing users' data collected by a Facebook quiz app which used the "Login with Facebook" feature.
"We've uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website but also third parties embedded on that site," the report noted.
The researchers found seven scripts collecting Facebook user data using the first party's Facebook access.
"These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com," they wrote.
The user ID collected through the Facebook API is specific to the website (or the "application" in Facebook's terminology), which would limit the potential for cross-site tracking.
"But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices," the researchers warned.
"While we can't say how these trackers use the information they collect, we can examine their marketing material to understand how it may be used," they noted.
OnAudience, Tealium AudienceStream, Lytics, and ProPS all offer some form of "customer data platform", which collect data to help publishers to better monetise their users.
Forter offers "identity-based fraud prevention" for e-commerce sites while Augur offers cross-device tracking and consumer recognition services.
Hidden third-party trackers can also use "Facebook Login to deanonymise users for targeted advertising".
"This is a privacy violation, as it is unexpected and users are unaware of it," the researchers said.
There are steps Facebook and other social login providers can still take to prevent abuse.
"API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs," the report emphasised.
"It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago," the researchers added.
Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.
London, Nov 22: A bomb disposal squad deployed as a “precaution” to the South Terminal of Gatwick Airport concluded an investigation into a "security incident" on Friday after making a “suspect package” safe.
The South Terminal of Gatwick Airport, the UK's second busiest airport after Heathrow, which was briefly shut owing to the incident reopened following the incident.
The Gatwick is around 45 km south of London.
Two people detained during the enquiries have since been allowed to continue their journey as the airport was opened.
“Police have concluded their investigation into a report of a suspect package at Gatwick Airport. Officers from the EOD (Explosive Ordnance Disposal) team made the package safe, and the airport has been handed back to its operator,” Sussex Police said in an updated statement.
“Two people detained while enquiries were ongoing have subsequently been allowed to continue their journeys. There will remain an increased police presence in the area to assist with passengers accessing the South Terminal for onward travel,” the statement added.
Earlier on Friday, the incident caused severe disruption at the busy airport’s South Terminal, while the North Terminal of Gatwick Airport remained unaffected.
“Police were called to the South Terminal at Gatwick Airport at 8.20 am on Friday (November 22) following the discovery of a suspected prohibited item in luggage,” a Sussex Police statement said.
“To ensure the safety of the public, staff and other airport users, a security cordon has been put in place whilst the matter is dealt with. As a precaution, an EOD (Explosive Ordnance Disposal) team is being deployed to the airport. This is causing significant disruption and some roads around the South Terminal have been closed. We’d advise the public to avoid the area where possible,” it said.
Footage on social media taken outside the airport showed crowds of frustrated travellers being moved away from the terminal building.
Gatwick said it was working hard to resolve the issue.
“A large part of the South Terminal has been evacuated as a precaution while we continue to investigate a security incident," the airport said in a social media post.
“Passengers will not be able to enter the South Terminal while this is ongoing. The safety and security of our passengers and staff remain our top priority. We are working hard to resolve the issue as quickly as possible.”
Train and bus services that serve the airport were also impacted while the police carried out their inquiries.
In an unrelated incident in south London on Friday morning, the US Embassy area in Nine Elms by the River Thames was the scene of a controlled explosion by Scotland Yard dealing with what they believe may have been a “hoax device”.
“We can confirm the 'loud bang' reported in the area a short time ago was a controlled explosion carried out by officers,” the Metropolitan Police said in a post on X.
“Initial indications are that the item was a hoax device. An investigation will now follow. Some cordons will remain in place for the time being but the majority of the police response will now be stood down,” it added.
