Facebook is looking into a security report that reveals Facebook user data can be snatched by JavaScript trackers if they’re planted in websites that let users log in with their Facebook credentials. Not just their name and email address, either: The exploit catches age range, gender, locale, and possibly a profile photo too, depending on how much access the user allowed said website. Once someone logs in, any third-party JavaScript can supposedly retrieve their info at will.
The report, by Princeton’s Center for Information Technology Policy website Freedom to Tinker, listed 431 of the top one million sites (by Alexa rank) that have the shady scripts embedded. The list included cloud database provider MongoDB until TechCrunch brought the issue to their attention, after which they allegedly shut down the abusive script.
“Scraping Facebook user data is in direct violation of our policies,” a Facebook spokesperson told Engadget. “While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
The report concluded that exposed user data wasn’t due to a bug in Facebook’s login feature—instead, it’s “due to the lack of security boundaries between the first-party and third-party scripts in today’s web.” To fix this loophole, the report’s authors recommend Facebook (and any other services that have social logins) audit their APIs to review who accesses login data. Cheekily, they also recommend finally making Anonymous Login with Facebook available after it had been announced four years ago.