‘Login With Facebook’ Data Hijacked by JavaScript Trackers ⇥ techcrunch.com

Josh Constine, TechCrunch:

Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user’s data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It’s unclear what these trackers do with the data, but many of their parent companies including Lytics and ProPS sell publisher monetization services based on collected user data.

The abusive scripts were found on 434 of the top 1 million websites including cloud database provider MongoDB. That’s according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton’s Center For Information Technology Policy.

There are clearly problems with trusting third-party code, and it is the responsibility of developers to adequately audit that code and ensure it is safe for end users. It’s getting to the point where scripts like these ought to be treated as potential malware.