“Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web,” said the report prepared by Steven Englehardt, Gunes Acar and Arvind Narayanan, researchers at Freedom to Tinker — a digital initiative by Princeton University’s Center for Information Technology Policy. “We report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs,” the trio wrote.
The researchers found two types of vulnerabilities: Seven third parties abusing websites’ access to Facebook user data and one third party using its own Facebook “application” to track users around the web. British political consultancy firm Cambridge Analytica was found misusing users’ data collected by a Facebook quiz app which used the “Login with Facebook” feature. The researchers found seven scripts collecting Facebook user data using the first party’s Facebook access.
The user ID collected through the Facebook API is specific to the website (or the “application” in Facebook’s terminology), which would limit the potential for cross-site tracking. “But these app-scoped user IDs can be used to retrieve the global Facebook ID, user’s profile photo, and other public profile information, which can be used to identify and track users across websites and devices,” the researchers warned. Hidden third-party trackers can also use “Facebook Login to deanonymise users for targeted advertising”. “This is a privacy violation, as it is unexpected and users are unaware of it,” the researchers said. (IANS)