'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91
An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Re:Why is this a surprise? (Score:5, Insightful)
Here is the real problem:
After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”
You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????
What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.
Re: (Score:3)
So, moral of the story is to never sign into Facebook outside of a single sandboxed browser instance which can't reach the rest of your system.
I know, some people are going to shorten that down just to "never sign into Facebook"...
Re: (Score:1)
You're right, but there's more ... why do we allow third party scripts by default? Oh, wait, because ad companies control the internet and whine if anybody tries to make it safer.
So, you hit a website, it pulls in javascript from god knows where (including Facebook), it all runs and does stuff you have no idea about, and someone has figured out they can exploit other things because you're now running stuff from multiple parties.
This is why I whitelist j
Re: (Score:1)
I've been railing against javascript for 20 years.
But the real problem is not javascript, but rather browsers and OSes that allow javascript access to that data on our computers.
Yes, we probably need a separate OS container for each website we use if we want some degree of safety.
But, facebork, et al, have our data (not mine- I don't use them) on their servers, and that data is being traded, sold, and stolen, so no matter how much we protect our own computers, there's nothing we can do about the server end.
Re: (Score:2, Informative)
You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????
What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.
The Slashdot page you are on right now runs scripts from nine domains totaling several thousand lines of executable code and a couple thousand other lines for formatting and data.
Dozens of people could make changes to any part of this common framework of frameworks and Slashdot proper wouldn't know any different. It would take weeks to review it all and by the time that was done, something would have changed.
Welcome to that web 2.0 all the old "luddites" of Slashdot warned about for years.
Re: (Score:2)
Re: (Score:1)
Old Luddite here. I told you (everyone) so. Look at my couple of original posts.
I learned of all of this quite by accident. 20 years ago I discovered Opera browser. In those days I had dial-up connections, and generally don't have the fastest broadband, so I've always cared about how fast a page loads. In those early days Opera would crash often, and I discovered 2 major things: if I disabled javascript, 1) pages loaded (often much) faster, 2) browser didn't crash.
Old Opera (versions 0 - 12.x) has alwa
Re: (Score:2)
Re: (Score:2)
Yeah, it's not like embedding 3rd-party advertising script code with FULL ACCESS to the main site's data has been a thing since forever.
Can we now get web browsers to block all 3rd-party scripts by default? Please?
Re: (Score:2)
Yeah, it's not like embedding 3rd-party advertising script code with FULL ACCESS to the main site's data has been a thing since forever.
Can we now get web browsers to block all 3rd-party scripts by default? Please?
Yes we can!
Well, I can. I’m still, after all these years, a bit shocked that not everyone uses even ad-blockers, let alone script blockers. A browser that automatically blocked all ads, beacons, scripts, etc, etc, would be nice, I suppose, but haven’t we dumbed-down the internet enough already? As it is, we have to put up with two-factor authentication because some people are too fuckin’ lazy to use password managers, and now they want us to hand over our phone numbers, too.
Personally, I t
Re: (Score:2)
Re:Why is this a surprise? (Score:5, Informative)
Here is the real problem:
After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”
You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????
What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.
Come on, man. Have you looked at modern websites? They include a shitload of scripts. Slashdot is trying to load 17. Seventeen! Do you really think someone at slashdot went out and read the code behind every one of those scripts in order to understand them? Do you think when a third party script is updated that the original site even is AWARE and looks at the updated code. If you're going to use third party scripts (for example a facebook login) on your website, you've already given up control of your website. At that point you're just playing "trust me" with the owners of those scripts.
I am not saying it's a good or right situation but almost every website on the internet does things this way.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Facebook may be evil, but I don't understand why we blame Facebook for this "exploit".
The user grants Website X permission to use their Facebook data. Website X obtains that data. Website X subsequently runs a malicious script on their own website which harvests that data.
Wouldn't this be, like, the fault of Website X?
I'm laughing my ass off !!! (Score:1)
Facebook has magnified the consequences of poorly placed trust far beyond most anyone's worst nightmares.
I never fell for the idiocy of Facebook myself, so all the suckers and chumps who did are just fools who provide me with a reason to laugh derisively.
Thanks for the laughs, you dumb fucks.
Re: (Score:3)
I never fell for the idiocy of JavaScript.
Oracle will fix that (Score:3, Funny)
I hear Oracle is trying to sue anyone publishing JavaScript because they own the trademark "JavaScript". Lawsuit fear may finally end the organic mess of JavaScript floating around. Okay, I'm only dreaming.
Re: (Score:1)
Well well, it's the Grammar Yoda (Writing Yoda?) Fockit
Re: Oracle will fix that (Score:4, Informative)
Why is JavaScript called "JavaScript" in the first place?
Marketing hype left over from when Sun was pushing Java as the solution to everything.
How hard can it be? (Score:2)
(meme from Twitter, and maybe that too) For anyone who cares the path is clear. If you don't care, do nothing and quityerbitchin.
Do, or do not. There is no try.
Been blocking forever - Fanboys annoyances (Score:1)
Suck it Traitorberg!
Re: (Score:2)
The experience of obtaining that data from your friend is yours and nobody has the right to take it away from you. And they won't do it, unless our society decides it appropriate to use force to damage your brain.
If "privacy" is ever protected to quite the degree
Huh? Exploit? (Score:2, Insightful)
Where is the exploit here? How is it surprising or concerning that if I give a company access to my data, they might use third-party SAAS to process my data? Is the endgame of this hysteria a complete ban on SAAS?
Facebook is always bad news. Who uses this crap? (Score:2)
Re: (Score:1)
Just you wait until they get around to auditing the banner ads.
Re: (Score:2)
LOL! (Score:1)
Never used this feature once (Score:5, Insightful)
Always felt it to be highly invasive, potentially insecure. The LAST thing I want, is to sign in to bloody sites with Facebook credentials.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Goatse for you [duckduckgo.com]
Re: (Score:1)
I'll give you 3 ad-free FaceBook accounts if you keep quiet about this.
On a similar lane of thought on FB security... (Score:4, Interesting)
...how do we know when we're using a legit 'Facebook login' prompt on mobile devices?
For example, I don't have FB on my mobile, and I've linked my Instagram account to it, but every now and then I get a pop-up asking me to sign into FB. I'm not concerned there, since it's Instagram and they're owned by FB....but there are other apps and games that do the same thing.
I really have no way of verifying that the prompt is legitimately from FB. It would be trivial to create a game that asks you to tie it to your FB account to 'save data' or 'play against friends', etc, and display the same pop-up, and simply collect your FB credentials.
That seems like a pretty serious security issue to me....is anything being done to prevent that from happening, or that can verify that the prompt is a legit FB sign-in?
Add Other App Data To The List (Score:3, Interesting)
I never creates a Facebook account. The Facebook app is disabled in my phone. But ...
At our company, I used a test account created by a colleague, for the R&D team. I used it to log in an app under development.
So far, so good. Or so it seems.
But after the C.A. scandal, I was curious and downloaded the data Facebook has on this account.
1) reading the list of known items makes you think that for sure, they know much more than they tell you and give you in this archive
2) a small detail, but which means a lot : at the end of the profile description, there is something like : "Music: AONE". Now I know Facebook has used our team test account to suck data from my phone because AONE is a little known French metal band. Facebook pulled the information from Jet Audio, the player I use. Facebook got it behind my back, without my consent.
So, Mr Zuck., stop lying and pretend you know nothing about shadow accounts. Everybody except you knows, really !? You're either a liar or a dumb that has lost control on his company.
Shut Facebook down for good. The end. May be you'll be allowed to run with the money.
Browser Weakness/Design Flaw (Score:2)
Websites can always contain malicious code..... This should have from the start been designed so:
When a form element contains a PASSWORD field:
1. The page displaying the form data needs to have been received over HTTPS with the same hostname that the POST operation will send the form to, and the form needs to be contained in the HTML; The browser should provide unique UI presentation for Password fields and normal Text fields, so it should not be possible for a JavaScript to "add a
So what? (Score:2)
Re: (Score:2)
Single log-in vs same UID/PW everywhere (Score:2)
One is obviously a bad idea. The other is just stupid.