Facebook just can’t seem to catch a break these days. Even as the anger surrounding the Cambridge Analytica scandal rages on in the US and beyond, a new report now seems to suggest that several third-party trackers across the web are abusing the Facebook Login system by exfiltrating personally-identifiable information through the API.
The surreptitiously collected data, according to the researchers, include an user’s “name, email address, age range, gender, locale and profile photo”.
First off, “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site”. Third-parties that users did not grant permission to access their data. “These scripts are embedded on a total of 434 of the top 1 million sites, including fiverr.com, bhphotovideo.com, and mongodb.com”, says the report.
Update: Tealium, mentioned in the original research, has reached out to us with an official statement regarding the data collection. “In response, Tealium clarifies it does not use Facebook data in the manner described by the researchers: “Tealium’s software is used by companies to manage their own user data, and Tealium itself does not use that data for any purpose and does not buy, share or sell that data. Tealium is an advocate of customer data privacy, strong data governance, and transparency.”
Secondly, “hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising” without their knowledge. This happens when an user directly visits the website of one of these trackers, thereby turning them into a first-party, and enabling access to a treasure trove of Facebook data. According to the report, “This is exactly what we found Bandsintown doing. Worse, they did so in a way that allowed any malicious site to embed Bandsintown’s iframe to identify its users”.