Login With Facebook Data Hijacked by JavaScript Trackers

posted by janrinok on Saturday April 21, @12:57AM
Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user’s data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Lytics and ProPS sell publisher monetization services based on collected user data.

Meanwhile, concert site BandsInTown was found to be passing Login With Facebook user data to embedded scripts on sites that install its Amplified advertising product. An invisible BandsInTown iframe would load on these sites, pulling in user data that was then accessible to embedded scripts. That let any malicious site using BandsInTown learn the identity of visitors. BandsInTown has now fixed this vulnerability.

TechCrunch is still awaiting a formal statement from Facebook beyond "We will look into this and get back to you."

Source: https://techcrunch.com/2018/04/18/login-with-facebook-data-hijacked-by-javascript-trackers/

  • (Score: 0) by Anonymous Coward on Saturday April 21, @01:09AM

    by Anonymous Coward on Saturday April 21, @01:09AM (#669871)

    Don't you worry. If they could grab this data there's no way they could get your login credentials. Trust them to tell you every time they do you wrong ;-)

