Stories
Slash Boxes
Comments

SoylentNews is people

Login With Facebook Data Hijacked by JavaScript Trackers

posted by janrinok on Saturday April 21 2018, @12:57AM   Printer-friendly
from the its-against-our-policy dept.

MrPlow writes:

Submitted via IRC for SoyCow8317

Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user’s data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Lytics and ProPS sell publisher monetization services based on collected user data.

Meanwhile, concert site BandsInTown was found to be passing Login With Facebook user data to embedded scripts on sites that install its Amplified advertising product. An invisible BandsInTown iframe would load on these sites, pulling in user data that was then accessible to embedded scripts. That let any malicious site using BandsInTown learn the identity of visitors. BandsInTown has now fixed this vulnerability.

TechCrunch is still awaiting a formal statement from Facebook beyond "We will look into this and get back to you."

Source: https://techcrunch.com/2018/04/18/login-with-facebook-data-hijacked-by-javascript-trackers/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Login With Facebook Data Hijacked by JavaScript Trackers | Log In/Create an Account | Top | 23 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Funny) by aristarchus on Saturday April 21 2018, @04:44AM (1 child)

    by aristarchus (2645) on Saturday April 21 2018, @04:44AM (#669959) Journal

    I opened an Facebook account for you, Runaway. Sorry, but they insisted on a real phone number, and your real name, and so forth. So you are a victim, now, despite your best efforts. No need to thank me. Your password is "Runaway12345", in case you want to log in to be javascript hacked.

    Starting Score:    1  point
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Saturday April 21 2018, @07:47PM

    by Anonymous Coward on Saturday April 21 2018, @07:47PM (#670148)

    do they really require a phone number now?

    i wouldnt install signal because, to chat on my desktop, i required to give them my phone number and contact list, because they said, to find if other contacts in my list already have it, so I can be idenfitied about who is trying to keep private.

    fuck that? so i didn't install it, because I remember back when I actually had to... deliberately tell chat programs who I wanted to chat with, not let the server slurp that data as part of how I can rat out my friends and family and stuff.

    it doesnt matter to me if they are so encrypted it takes 3 deses to unlock the sucker; they are taking copies of data that I on principle do not want them to have. I don't want to have to ask everyone on my contact list hey is it OK if I give your details to a company known for hiding the texts of bad people if we were to believe the government propaganda? No? shit now I can't use it

    no one asked me if it was OK for some app to download my info from their contact list.

    so fuck facebook for requiring the phone number. i dont want them to have it but I imagine they already do. just confirming it for them would feel dirty