The Facebook's login API can land you in trouble
Now, Facebook is ruling the social media landscape for a pretty long time and its dominance is still intact. Though the social media giant got entangled in a couple of controversies lately and even lost many of its users, but with more stern guidelines, Facebook aims to win back the trust of its existing users and industry experts.
In an attempt to infuse more trust in their user community, Erin Egan, VP and Chief Privacy Officer, Policy and Ashlie Beringer, VP and Deputy General Counsel said in a blog post, “It’s important to show people in black and white how our products work – it’s one of the ways people can make informed decisions about their privacy. So we’re proposing updates to our terms of service that include our commitments to everyone using Facebook. We explain the services we offer in the language that’s easier to read. We’re also updating our data policy to better spell out what data we collect and how we use it in Facebook, Instagram, Messenger and other products.”
In between all this, there still remains a concern of Facebook's profile sharing. Due to its popularity, the Facebook's login API, which can be carried forward to log in to many other apps and websites. For instance, while login to apps like Spotify, Tinder, Airbnb, and many of the gaming profiles, you can log in with your Facebook's login API.
At first, these logins looks safe, but what about websites and apps that look dubious and you still want to get into it. Is logging in with Facebook profile safe? As per a researched report by Princeton University, doing it can pose security risks for the users.’
To support their claims of safety breach, three researchers, Steven Englehardt, Gunes Acar, and Arvind Narayanan, did an in-depth analysis and came up with loopholes in how hackers and third-party tracking scripts can exploit Facebook's login API without the users' knowledge. The tracking scripts exhibit a glimpse of invisible tracking technology that can get behind the curtains and rob the people of their personal information and as well as, their profile credentials.
“We never thought this was possible. It was really surprising,” says Acar, one of the researcher. "This is tapping into a social API, which you are not expected to—but this sounds a bit beyond the line."
One such breach was reported last month only when a bug hit almost 14 million Facebook users to have their new posts inadvertently set to public. Facebook immediately acknowledged the glitch and even released a press release for the same. Nevertheless, the breach didn’t compromise any of the users’ personal detail but was scary enough.
“We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time," Erin Egan, Facebook's chief privacy officer, said in a statement. "To be clear, this bug did not impact anything people had posted before—and they could still choose their audience just as they always have. We’d like to apologize for this mistake."
Another such blow that Facebook experienced was the data theft by Cambridge Analytica. In this scam, the personal information of about 87 million people was shared with third-party companies. The transgression was made by a simple trick of a personality test app.
The Princeton University research further unearthed that when we connect to a website through our Facebook’s profile, there are third-party trackers that directly share your data. The information may include username, phone number, email address, age, friend list, birthday, and every other information that the site requested to access. Moreover, the study established the fact that such a tracking script was present on 434 of the web's top one million websites. Although all of them may not have indulged in data theft, but the script is indeed active on these websites.
One thing was clear that these websites did gather the user ID, personal name, and email id. Though these details may not sound threatening, still with the unique ID of the user, he can be tracked easily on Facebook and other websites also.
After Princeton published their research online, Facebook came to its rescue and said it would suspend this ability.
“Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests," a Facebook spokesperson said in a statement.
The Princeton study has certainly underlined the threat of logging in with the Facebook ID. So, to stay away from any such breach, try not to connect with Facebook on websites which you don’t visit often and if other ways of login are offered by the website, try that rather than sparking a chance of compromising the data. Above all, try to stay away from websites that act fishy or doesn’t seem to be genuine.
Interestingly, Facebook tossed up an idea in 2014 to create Anonymous Facebook Login for its users,’ "a way to log into apps without sharing any personal information from Facebook." But due to unknown reasons, the idea dissolved deep down the lane.
Then there comes the boon of an ad blocker. These ad blockers cut off the access of a lot of tracking scripts that may access the information. Sadly, the Princeton researchers didn’t dig into this aspect, but something is better than nothing.
My personal advice to you is, always stay alert and don’t to get into any cryptic stunt.
She is a content marketer and has more than five years of experience in IoT, blockchain, Web, and mobile development. In all these years, she closely followed the app development, and now she writes about the existing and the upcoming mobile app technologies. Her essence is more like a ballet dancer.