Third-party JavaScript trackers are embedded on websites where users login through Facebook can gather their data, including email addresses, and as is reportedly the case with Bandsintown, pass that data to other websites.
The researchers, who include Mozilla Privacy Engineer Steven Englehardt, found numerous scripts “collecting Facebook user data using the first party's Facebook access,” they wrote in the blog, hosted by Princeton University's Center for Information Technology Policy. “These scripts are embedded on a total of 434 of the top 1 million sites.”
Englehardt and his fellow researchers said some third parties, like Disqus, use “the Facebook Login feature to authenticate users across many websites.”
“However, hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising,” they wrote. “This is a privacy violation, as it is unexpected and users are unaware of it. But how can a hidden tracker get the user to Login with Facebook? When the same tracker is also a first party that users visit directly,” something the researchers discovered Bandsintown was doing. “Worse, they did so in a way that allowed any malicious site to embed Bandsintown's iframe to identify its users.”
A spokesperson from Bandsintown told SC Media that "this was not a 'practice' or intended use of this script" and that the company wasn't "aware of any malicious misuse" by third parties. "This was a vulnerability in our script that once recognized, we addressed right away, removing the script in question," the spokesperson said, adding that "Bandsintown does not disclose unauthorized data to third parties, we value the privacy of our users and are committed to meeting the highest possible data protection standards."
A vulnerability in the login feature of Facebook, which has come under fire recently for its data collection and sharing policies in the wake of the Cambridge Analytica revelations, is not the culprit, they said.
“Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web,” the bog noted. “Still, there are steps Facebook and other social login providers can take to prevent abuse: API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs.”
The researchers also said that “It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago.”
