Third-parties abusing 'Facebook Login' to steal users' data: Report
San Francisco, April 19: Several third-party trackers are abusing Facebook Login, exfiltrating users' data including name, email address, age range, gender, locale and profile photo, a new security research report has claimed.
The unintended exposure of Facebook data to third party JavaScript trackers is not owing to a bug in Facebook's Login feature.
"Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," said the report prepared by Steven Englehardt, Gunes Acar and Arvind Narayanan, researchers at Freedom to Tinker -- a digital initiative by Princeton University's Center for Information Technology Policy.
"We report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through "login with Facebook" and other such social login APIs," the trio wrote.
Meanwhile, Facebook told the technology website TechCrunch that they were investigating into the security research report.
The researchers found two types of vulnerabilities: Seven third parties abusing websites' access to Facebook user data and one third party using its own Facebook "application" to track users around the web.
British political consultancy firm Cambridge Analytica was found misusing users' data collected by a Facebook quiz app which used the "Login with Facebook" feature.
"We've uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website but also third parties embedded on that site," the report noted.
The researchers found seven scripts collecting Facebook user data using the first party's Facebook access.
"These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com," they wrote.
The user ID collected through the Facebook API is specific to the website (or the "application" in Facebook's terminology), which would limit the potential for cross-site tracking.
"But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices," the researchers warned.
"While we can't say how these trackers use the information they collect, we can examine their marketing material to understand how it may be used," they noted.
OnAudience, Tealium AudienceStream, Lytics, and ProPS all offer some form of "customer data platform", which collect data to help publishers to better monetise their users.
Forter offers "identity-based fraud prevention" for e-commerce sites while Augur offers cross-device tracking and consumer recognition services.
Hidden third-party trackers can also use "Facebook Login to deanonymise users for targeted advertising".
"This is a privacy violation, as it is unexpected and users are unaware of it," the researchers said.
There are steps Facebook and other social login providers can still take to prevent abuse.
"API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs," the report emphasised.
"It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago," the researchers added.
Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.
Indian mobile hospital treats over 2,200 cyclone-hit people as New Delhi ramps up relief efforts in
Colombo (PTI): A mobile hospital set up by India in Sri Lanka has provided medical care to over 2,200 people affected by Cyclone Ditwah, as New Delhi ramped up its assistance to the flood-ravaged island nation with engineering support and delivery of fresh relief consignments, the Indian mission here said on Sunday.
Sri Lanka has been grappling with widespread flooding, landslides and severe infrastructure collapse triggered by the cyclone, leaving several districts isolated and severely straining the country's disaster-response capacity.
At least 627 people have been killed and 190 remain missing as of Sunday noon due to catastrophic floods and landslides caused by extreme weather conditions since November 16.
Sharing a social media post by the Ministry of External Affairs on its X handle, the Indian High Commission said a field hospital set up by India in Mahiyanganaya near Kandy has provided medical care to more than 2,200 people affected by the cyclone since December 5.
The hospital has also performed 67 minor procedures and three surgeries, it said. The field hospital was airlifted to Sri Lanka by an IAF C-17 aircraft along with a 78-member Indian medical team on Tuesday.
In another post, the mission said Indian Army engineers, working with Sri Lanka Army Engineers and the Road Development Authority, in Kilinochchi have begun removing a damaged bridge on the Paranthan–Karachchi–Mullaitivu (A35) road, a key route disrupted by the cyclone.
"This joint effort marks another step toward restoring vital connectivity for affected communities," it said.
India has additionally sent nearly 1,000 tonnes of food items and clothing contributed by the people of Tamil Nadu. Of these, about 300 tonnes reached Colombo on Sunday morning aboard three Indian Naval ships.
High Commissioner Santosh Jha handed over the supplies to Sri Lankan Minister for Trade, Commerce, Food Security and Cooperative Development Wasantha Samarasinghe.
India, on November 28, launched 'Operation Sagar Bandhu', a Humanitarian Assistance and Disaster Relief (HADR) initiative, to aid Sri Lanka in its recovery from the devastation caused by Cyclone Ditwah.
Since the launch of the operation, India has provided about 58 tonnes of relief material, including dry rations, tents, tarpaulins, hygiene kits, essential cloths, water purification kits and about 4.5 tonnes of medicines and surgical equipment, the Indian mission said in a press release on Sunday.
Another 60 tonnes of equipment, including generators, inflatable rescue boats, Outboard Motors, and excavators, have also been brought to Sri Lanka, it said, adding that 185 tonnes of Bailey Bridge units were airlifted to restore critical connectivity along with 44 engineers.
Two columns of the National Disaster Response Force, comprising 80 experts and K9 units with specially trained dogs, assisted with immediate rescue and relief efforts in Sri Lanka.
Besides the field hospital in Mahiyanganaya, medical centres have also been set up in the badly hit Ja-Ela region and in Negombo. INS Vikrant, INS Udaygiri, and INS Sukanya provided immediate rescue and relief assistance to Sri Lanka.
Apart from the two Chetak helicopters deployed from INS Vikrant, two heavy-lift, MI-17 helicopters of the Indian Air Force are actively involved in evacuations and airlifting relief material, the release said.
At the request of the Sri Lankan Disaster Management Centre, a virtual meeting was organised between DMC and the Indian Space Research Organisation (ISRO)'s National Remote Sensing Centre on Saturday.
Since the onset of the disaster, ISRO has been providing maps to assist DMC in its rescue efforts, the release said.
