Marketing firms may have abused a Facebook Login feature to secretly track users over the internet, according to new research.
The problem involves the “Login with Facebook” function, which—as its name suggests—lets you log into websites with your Facebook credentials rather than having to create separate accounts across the web.
However, researchers at Princeton University claim Facebook Login is susceptible to abuse. They detected online web trackers piggybacking on it to collect Facebook user IDs and email addresses.
“When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site,” the researchers said.
Tracking scripts we’re found on over 400 websites, which were probably exploiting the Facebook Login feature to help businesses better monetize their users, researchers said.
However, the scale of the problem appears to be relatively small; a list of the affected domains does not contain many mainstream sites. For instance, the second most popular website on the list is an Indonesian newspaper that lets readers log in with their Facebook account.
Nevertheless, the findings underscore the potential for abuse. “This unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature,” the researchers said. “Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web.”
Facebook is investigating the findings. “Scraping Facebook user data is in direct violation of our policies,” the company said in an email on Thursday.
“While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests,” the company added.
Facebook took action as the company is still reeling from the Cambridge Analytica scandal, which involved a UK political consultancy abusing Facebook practices to scoop up data on as many as 87 million users. In response, Facebook has promised a comprehensive developer audits and better privacy protections for users.