Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Facebook Java Communications Network Privacy Security The Internet

'Login With Facebook' Data Hijacked By JavaScript Trackers ( 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
This discussion has been archived. No new comments can be posted.

'Login With Facebook' Data Hijacked By JavaScript Trackers

Comments Filter:
  • by Anonymous Coward

    Facebook has magnified the consequences of poorly placed trust far beyond most anyone's worst nightmares.

    I never fell for the idiocy of Facebook myself, so all the suckers and chumps who did are just fools who provide me with a reason to laugh derisively.

    Thanks for the laughs, you dumb fucks.

  • by Tablizer ( 95088 ) on Wednesday April 18, 2018 @08:20PM (#56461475) Journal

    I hear Oracle is trying to sue anyone publishing JavaScript because they own the trademark "JavaScript". Lawsuit fear may finally end the organic mess of JavaScript floating around. Okay, I'm only dreaming.

  • #deletefacebook

    (meme from Twitter, and maybe that too) For anyone who cares the path is clear. If you don't care, do nothing and quityerbitchin.

    Do, or do not. There is no try.
  • by Anonymous Coward

    Suck it Traitorberg!

  • Huh? Exploit? (Score:2, Insightful)

    by Anonymous Coward

    Where is the exploit here? How is it surprising or concerning that if I give a company access to my data, they might use third-party SAAS to process my data? Is the endgame of this hysteria a complete ban on SAAS?

  • Either the press has turned against them, they are the new Microsoft Evil Empire, or they are just real assholes, but there is a new "Facebook is Evil as Fuck - New Assrape Code" story every day!
  • I don't do Facebook!
  • by AbRASiON ( 589899 ) * on Wednesday April 18, 2018 @09:16PM (#56461725) Journal

    Always felt it to be highly invasive, potentially insecure. The LAST thing I want, is to sign in to bloody sites with Facebook credentials.

    • OK So you think these sites are slimeballs and blood. I find it odd you have a facebook credential to begin with. It is very inconsistent with someone who takes privacy seriously.
    • The feature itself isn't a bad idea. A trusted third party confirms the identity of both the store and the user wishing to login to the store, and can do it for all stores and all users. Done right, you could replace the hundreds of different passwords I currently maintain in my password manager, with a single password (passphrase) and key + certificate. It's basically what already happens with SSL (HTTPS connections), except instead of authenticating a browser for a single session, you authenticate a us
  • by Vegan Cyclist ( 1650427 ) on Thursday April 19, 2018 @01:01AM (#56462333) Homepage do we know when we're using a legit 'Facebook login' prompt on mobile devices?

    For example, I don't have FB on my mobile, and I've linked my Instagram account to it, but every now and then I get a pop-up asking me to sign into FB. I'm not concerned there, since it's Instagram and they're owned by FB....but there are other apps and games that do the same thing.

    I really have no way of verifying that the prompt is legitimately from FB. It would be trivial to create a game that asks you to tie it to your FB account to 'save data' or 'play against friends', etc, and display the same pop-up, and simply collect your FB credentials.

    That seems like a pretty serious security issue to anything being done to prevent that from happening, or that can verify that the prompt is a legit FB sign-in?

  • by AncalagonTotof ( 1025748 ) on Thursday April 19, 2018 @02:06AM (#56462479)

    I never creates a Facebook account. The Facebook app is disabled in my phone. But ...
    At our company, I used a test account created by a colleague, for the R&D team. I used it to log in an app under development.
    So far, so good. Or so it seems.
    But after the C.A. scandal, I was curious and downloaded the data Facebook has on this account.

    1) reading the list of known items makes you think that for sure, they know much more than they tell you and give you in this archive

    2) a small detail, but which means a lot : at the end of the profile description, there is something like : "Music: AONE". Now I know Facebook has used our team test account to suck data from my phone because AONE is a little known French metal band. Facebook pulled the information from Jet Audio, the player I use. Facebook got it behind my back, without my consent.

    So, Mr Zuck., stop lying and pretend you know nothing about shadow accounts. Everybody except you knows, really !? You're either a liar or a dumb that has lost control on his company.
    Shut Facebook down for good. The end. May be you'll be allowed to run with the money.

  • Websites can always contain malicious code..... This should have from the start been designed so:
    When a form element contains a PASSWORD field:

    1. The page displaying the form data needs to have been received over HTTPS with the same hostname that the POST operation will send the form to, and the form needs to be contained in the HTML; The browser should provide unique UI presentation for Password fields and normal Text fields, so it should not be possible for a JavaScript to "add a

  • If you use your Facebook account like a garbage can, to contain all the trash generated as a result of the privilege to log automatically with Facebook into some sites, the bad guys will only get garbage. That's what Facebook is good for. From my account, the bad guys will have obtained fake names, phone numbers, email addresses - and an untold and unknown - to me - amount of spam. Enjoy the junk, hackers.
    • They will still get the data from the tracking javascript that forwards everything under the sun in an agreement with facebook. Given all of the other data they have from everyone else they will be able to accurately tell you things you don't even know about yourself. Play with machine will open your eyes. There are very few who are not able to be are not one of them.

  • One is obviously a bad idea. The other is just stupid.

Evolution is a million line computer program falling into place by accident.