Facebook profiles have become the de-facto identities of people across the internet. This is thanks, in large part, to Login With Facebook, the social network's universal login API, which allows users to carry their profile information to other apps and websites. You've probably used it to log in to services like Spotify, Airbnb, and Tinder. But sometimes, especially on lesser known websites, using Facebook's universal login feature may carry security risks, according to new research from Princeton University published Wednesday.
In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.
“We never thought this was possible. It was really surprising,” says Acar. "This is tapping into a social API, which you are not expected to—but this sounds a bit beyond the line."
The researchers found that sometimes when users grant permission for a website to access their Facebook profile, third-party trackers embedded on the site are getting that data, too. That can include a user's name, email address, age, birthday, and other information, depending on what info the original site requested to access. The study found that this particular breed of tracking script is present on 434 of the web's top one million websites, though not all of them are querying Facebook data from the API—the researchers only confirmed that such a script was present.
Most of the scripts the researchers examined grab a user ID that is