The researchers found seven third-party companies accessing Facebook user data through a tool allowing users to log into websites using their Facebook ID. The report suggests that signing in with a social account unknowingly allows the user to trust not just that website, but third-party tools on that same website.
The group found scripts embedded in websites that, when a user logs in with a Facebook account, will access the user ID and, depending on the script, other data like email addresses and even gender. The team wasn’t able to determine just how the information is used, but four of those third-party platforms run what they called a “consumer data platform.” A fifth runs cross-device tracking.
The team managed to find the scripts that caused the vulnerability installed on 434 websites out of the top 1 million sites on the web. One of those sites, MongoDB, a cloud database, has already corrected the script.
The group found fewer instances of the second type of vulnerability, but said that third-party trackers could “deanonymize users.” This type of script was found on Bandsintown, where an iFrame could be used for other websites to embed data from the music platform. The iFrame could pass user data, including identifying data, onto malicious websites accessing that iFrame. Bandsintown says the vulnerability has now been corrected.
The researchers call the vulnerability unintended, but also say that it’s “the lack of boundaries between the first-party and third-party scripts in today’s web,” not because of a bug. Facebook says that they are investigating the report.
The report is just one of the third-party vulnerabilities Facebook is currently investigating. After Cambridge Analytica, the platform is conducting audits on third-party apps using the Facebook API. Both the website scripts and the third-party apps required users to log in with their Facebook credentials.