Facebook just can’t seem to catch a break these days. Even as the anger surrounding the Cambridge Analytica scandal rages on in the US and beyond, a new report now seems to suggest that several third-party trackers across the web are abusing the Facebook Login system by exfiltrating personally-identifiable information through the API.

The surreptitiously collected data, according to the researchers, include an user’s “name, email address, age range, gender, locale and profile photo”.

Image Courtesy: Freedom to Tinker

According to the report, the easy availability of Facebook data to third-party JavaScript trackers is “due to the lack of security boundaries between the first-party and third-party scripts in today’s Web”. That being the case, people are at risk of having their privacy compromised by two different vulnerabilities in the system.

First off, “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site”. Third-parties that users did not grant permission to access their data. “These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com”, says the report.

Update: Tealium, mentioned in the original research, has reached out to us with an official statement regarding the data collection. “In response, Tealium clarifies it does not use Facebook data in the manner described by the researchers: “Tealium’s software is used by companies to manage their own user data, and Tealium itself does not use that data for any purpose and does not buy, share or sell that data. Tealium is an advocate of customer data privacy, strong data governance, and transparency.”

Image Courtesy: Freedom to Tinker

Secondly, “hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising” without their knowledge. This happens when an user directly visits the website of one of these trackers, thereby turning them into a first-party, and enabling access to a treasure trove of Facebook data. According to the report, “This is exactly what we found Bandsintown doing. Worse, they did so in a way that allowed any malicious site to embed Bandsintown’s iframe to identify its users”.

The report was published yesterday by researchers at Freedom to Tinker – a digital initiative by Princeton University’s Center for Information Technology Policy. Following its publication, the social media giant has released a statement to TechCrunch, saying that it is investigating how Facebook’s user-data can be so easily accessed by JavaScript trackers on third-party websites and services using the company’s social login APIs.