How hidden trackers on websites use 'login with Facebook' to harvest your data

Justin Sullivan/GettyA woman protests against Facebook.
  • Security researchers found a way for hidden trackers to abuse the “login with Facebook” feature that many websites use.
  • The trackers can harvest user data like profile picture, name, email address, age, and gender – probably much more than people intend to give away when they log in to sites using Facebook.
  • Facebook says it is investigating the issue.
  • It’s yet another example of how hard it is for users to keep tabs on who has their Facebook data.

Here’s another example of companies hijacking Facebook to harvest your data.

Many people use the “login with Facebook” feature to sign in to some websites. It simplifies logging in and means you don’t have to remember a whole bunch of new usernames and passwords.

But according to security researchers at Freedom to Tinker, the shortcut may mean users are handing over considerably more information than intended. We first saw the news via TechCrunch.

Trackers embedded on a site’s pages can hijack the “login with Facebook” feature to harvest data you probably didn’t intend to give away, including your email address and public profile details such as name, age range, gender, location, and profile photo.

It isn’t clear what these trackers do with the information, but the researchers noted that the firms behind the trackers – Lytics and ProPS – all provide audience-monetisation services to publishers. In other words, sites are able to charge advertisers more money because they know more about you.

Facebook Login scrapingFreedom to TinkerHow third-party trackers can siphon off your Facebook data.

The researchers found the trackers embedded in 454 of the top 1 million sites, sorted by their Alexa traffic rank, including MongoDB. MongoDB told TechCrunch on Wednesday: “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

Facebook told TechCrunch it was investigating the issue, and it didn’t immediately respond to a request for further clarification from Business Insider.

The numbers suggest the data syphoning isn’t particularly widespread, but it’s yet another example of how difficult it is for users to understand where their Facebook information could be going.

Steven Engelhardt, a privacy engineer at Mozilla who was among the researchers behind the findings, wrote: “This unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web.”

But, Engelhardt added, Facebook could do a better job of auditing how third parties use tools like the log-in service and stop trackers from scraping more information than necessary.

NOW WATCH: Tech Insider videos

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.