Web trackers exploit Facebook login API to collect user data If you’ve logged into a website or app using the “login with Facebook” feature, your data could have been exposed to third-party trackers.
The research did not explain how these trackers used the data collected from Facebook users but said that some of their parent companies collect data to help publishers monetize their users. “Scraping Facebook user data is in direct violation of our policies,” a Facebook spokesperson said in an emailed statement. “While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
BandsInTown, a concert tracking website that notifies users of when a band they like is playing near them, was found to be passing on users’ public profile data to other websites. If a user that signs into BandsInTown with Facebook then visits a website using Bandsintown’s Amplified advertising product, that user inadvertently shares their Facebook ID with the site, researchers said. Public profile data can include a user’s name, age, gender, location and profile picture.
“BandsInTown does not disclose unauthorized data to third parties and upon receiving an email from a researcher presenting a potential vulnerability in a script running on one of our platforms, we quickly took the appropriate actions to resolve the issue in full,” a spokesperson for the company said in an emailed statement. “We value the privacy of our users and are committed to meeting the highest possible security standards.”
The fault does not lie with Facebook, the researchers said, but more can be done by Facebook and other social login providers to prevent abuse. Dating app Bumble recently said it will let users sign into its service without having to have a Facebook account.