Third-parties abusing 'Facebook Login' to steal users' data: Report
San Francisco, April 19: Several third-party trackers are abusing Facebook Login, exfiltrating users' data including name, email address, age range, gender, locale and profile photo, a new security research report has claimed.
The unintended exposure of Facebook data to third party JavaScript trackers is not owing to a bug in Facebook's Login feature.
"Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," said the report prepared by Steven Englehardt, Gunes Acar and Arvind Narayanan, researchers at Freedom to Tinker -- a digital initiative by Princeton University's Center for Information Technology Policy.
"We report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through "login with Facebook" and other such social login APIs," the trio wrote.
Meanwhile, Facebook told the technology website TechCrunch that they were investigating into the security research report.
The researchers found two types of vulnerabilities: Seven third parties abusing websites' access to Facebook user data and one third party using its own Facebook "application" to track users around the web.
British political consultancy firm Cambridge Analytica was found misusing users' data collected by a Facebook quiz app which used the "Login with Facebook" feature.
"We've uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website but also third parties embedded on that site," the report noted.
The researchers found seven scripts collecting Facebook user data using the first party's Facebook access.
"These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com," they wrote.
The user ID collected through the Facebook API is specific to the website (or the "application" in Facebook's terminology), which would limit the potential for cross-site tracking.
"But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices," the researchers warned.
"While we can't say how these trackers use the information they collect, we can examine their marketing material to understand how it may be used," they noted.
OnAudience, Tealium AudienceStream, Lytics, and ProPS all offer some form of "customer data platform", which collect data to help publishers to better monetise their users.
Forter offers "identity-based fraud prevention" for e-commerce sites while Augur offers cross-device tracking and consumer recognition services.
Hidden third-party trackers can also use "Facebook Login to deanonymise users for targeted advertising".
"This is a privacy violation, as it is unexpected and users are unaware of it," the researchers said.
There are steps Facebook and other social login providers can still take to prevent abuse.
"API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs," the report emphasised.
"It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago," the researchers added.
Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.
Centre spent Rs 76.13 lakh on print media ads for RSS centenary, reveals RTI
New Delhi: The Union Ministry of Culture allegedly spent Rs 76.13 lakh on print advertisements marking the 100-year celebrations of the Rashtriya Swayamsevak Sangh (RSS), according to a Right to Information (RTI) reply.
The information was sought by RTI activist Ajay Basudev Bose, who filed an application seeking details on expenditure incurred by the ministry for advertisements commemorating the RSS centenary.
Bose shared a picture of the reply from the ministry on his official ‘X’ handle.
“It is informed that an amount of Rs 76,13,129 has been spent on advertisement given in various print media by the Ministry of Culture on the occasion of the completion of 100 years of RSS,” the government’s reply stated.
RTI reply shows Min of Culture Govt of India spent a Whopping Rs 76L,13K,129 on Advertisement in Print Media on occasion of 100 yrs of #RSS
— AJAY Basudev Bose (@AjayBos93388306) April 16, 2026
When Everyone knows RSS is Not Registered & Does not Pay any Tax is it justified to spend Tax Payers Money on such Private event??@RSSorg… pic.twitter.com/dW4IUtdNCg
Bose questioned the expenditure in the post X, “when Everyone knows RSS is Not Registered & Does not Pay any Tax is it justified to spend Tax Payers Money on such Private event??”
Reacting to the development, Karnataka’s IT-BT and Panchayat Raj Minister Priyank Kharge also criticised the spending.
In a post on X, he asked why public money was being used for what he described as a “private ideological project.”
"Modi Sarkar spent Rs 76,13,129 of public money on newspaper advertisements to celebrate 100 years of the RSS. Why is Government spending taxpayers money on an unregistered, non-tax-paying organisation to celebrate their centenary?," he added.
Why is public money being used to serve a private ideological project?
— Priyank Kharge / ಪ್ರಿಯಾಂಕ್ ಖರ್ಗೆ (@PriyankKharge) April 16, 2026
Modi Sarkar spent ₹76,13,129 of public money on newspaper advertisements to celebrate 100 years of the RSS.
Why is Government spending taxpayers money on an unregistered, non-tax-paying organisation to… pic.twitter.com/EoZ6Pim3IM
According to reports, the RSS describes itself as a volunteer-based organisation and has stated that it functions as a body of individuals rather than a registered entity.
Founded by Keshav Baliram Hedgewar in 1925, the organisation is marking its centenary year beginning from Vijaydashami in 2025, with the milestone observed on October 2.
