That’s just AUTHal

Written by:
Damian Jennings
Date Posted:
20 April 2018
Category:
Security

Naughty People can snaffle your deets from the Facebook Login thing.

A lovely man called Steven Englehardt who does research into privacy for some swanky PhD he’s doing at Princeton.

His most recent work, which was done with Gunes Acar and Arvind Narayanan, shows how there are at least seven tracking services that could access your Facebook data.

So it’s not as if it’s so bad that Facebook are selling all your info, Naughty People can grab your stuff too. Sigh.

On the face of things, Facebook Login looks great. No need to register for a site, just log in with your facebook creds. What a time saver! Huzzah! But…

It looks like if you are to lazy to register a new account, any dodge bit of Javascript on the site can snaffle bits of your Facebook profile – which third party trackers blummin’ love!

Basically, when you let www.ilovecatpics.com get your Facebook deets, any tracking script that site has installed can also get the info. How much info? According to the research its your Facebook ID, email address, name and even gender.

Here’s who can snaffle and what they can snaffle:

CompanyScript AddressFacebook Data Collected
OnAudience*http://api.behavioralengine.com/scripts/be-init.jsUser ID (hashed),

Email (hashed), Gender

Augurhttps://cdn.augur.io/augur.min.jsEmail, Username
Lyticshttps://c.lytics.io/static/io.min.js (loaded via OpenTag)User ID
ntvk1.ruhttps://p1.ntvk1.ru/nv.jsUser ID
ProPS^http://st-a.props.id/ai.jsUser ID (has code to collect more)
Tealium^http://tags.tiqcdn.com/utag/ipc/[*]/prod/utag.jsUser ID
Forter^https://cdn4.forter.com/script.js?sn=[*]User ID

Do note that OnAudience have claimed they have stopped collecting this info after Englehardt released a previous study which showed they used browser autofill to grab email addresses.

Could it get worse? Oh yes. Yes it could.

Some third parties are using the Facebook Login feature to authenticate users across a variety of different websites. The commenting tool, Disqus does this all the time, they say. Other hidden third parties could be using iframes like Disqus uses, to turn anon visitors into real people in order to sell more targeted advertising. Nice.

 

 

Of course, everyone denied doing anything nefarious, natch. And it’s certainly not a bug in the Facebook auth process. But it is alarming. As is just about all news about Zuck’s cash cow these days.

Rating: 5.0. From 1 vote.
Please wait...

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.