
No boundaries for Facebook data: third-party trackers abuse Facebook Login - randomwalker
https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/
======
btown
The linked article [https://freedom-to-tinker.com/2018/04/18/no-boundaries-
for-f...](https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-
data-third-party-trackers-abuse-facebook-login/) provides much more detail and
links to source code, such as
[https://gist.github.com/englehardt/db3ecea255ccd6aa2b0cb73ca...](https://gist.github.com/englehardt/db3ecea255ccd6aa2b0cb73ca76257d6#file-
be-init-js-L1229)

It's important to recognize that this is not an exploit or high-tech
exfiltration: it's extremely well-documented in
[https://developers.facebook.com/docs/reference/javascript/FB...](https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus)
and
[https://developers.facebook.com/docs/javascript/reference/FB...](https://developers.facebook.com/docs/javascript/reference/FB.api)
\- the Facebook library even assumes that potentially multiple scripts may be
checking repeatedly, and caches accordingly. Facebook is incentivized to make
it as easy as possible to integrate their login across the internet, and that
entails removing any requirements such as server-side processing that would
discourage every tag from including this code.

Seeing this and being surprised is like watching a teen movie where the
gossiper invites the entire school to listen in on the phone line while the
protagonist is (unwisely) sharing a secret with them, and thinking as you
watch, "that's totally out of character for the gossiper - even though they
want to collect people's information themselves, there's no way they would
invite other people to listen in as they're in the process of receiving that
information."

~~~
JumpCrisscross
> _It 's important to recognize that this is not an exploit or high-tech
> exfiltration: it's extremely well-documented_

This argument was used last time [1]. It didn't work then and it's a silly
excuse now.

Users gave Facebook their "name, email address, age range, gender, locale, and
profile photo" [2]. Some of them marked those data private ( _i.e._ only for
friends). Those data were shared, without the users' informed consent, with
third parties through the log-in function.

Documenting a breach doesn't unmake it a breach. And a breach can be a breach
without involving any technical exploits. This was a breach.

> _Seeing this and being surprised is like watching a teen movie where the
> gossiper..._

People didn't realize Facebook was selling their secrets. That may strike you
as naïve. But it's this asymmetry, between specialists ( _e.g._ Facebook
employees and technologists at large) and non-specialists ( _i.e._ most of
Facebook's users), that drives the need for regulation.

An analogy can be found in lemon laws [3]. We protect consumers from
specialists ( _e.g._ car salespersons) taking advantage of the customers'
reasonable ignorance of cars. Facebook is selling the world lemons and mocking
them for buying.

[1] [https://www.cbsnews.com/news/facebook-cambridge-analytica-
wa...](https://www.cbsnews.com/news/facebook-cambridge-analytica-was-it-a-
data-breach)

[2] [https://techcrunch.com/2018/04/18/login-with-facebook-
data-h...](https://techcrunch.com/2018/04/18/login-with-facebook-data-
hijacked-by-javascript-trackers/)

[3]
[https://en.wikipedia.org/wiki/Lemon_law](https://en.wikipedia.org/wiki/Lemon_law)

~~~
underwater
You’re either misunderstanding or misrepresenting what is happening here.

The website or app implements Facebook Login. When a user visits that they can
choose to share their profile information with that app. Through poor security
or malicious action that app leaks that information to third parties.

You can’t control data on systems you don’t own. So Facebook’s options are
either (a) limit how platform apps use data via non-technical/legal methods
(b) better educate users on the implications of sharing their data with
external apps, or (c) refuse to share any user data with external apps.

We’ve seen the first option fail with the Cambridge Analytica scandal.
Educating users consistently fails. And before Facebook built a platform, they
were accused of building a walled garden.

~~~
ljm
I'm not sure you can see this as a persistent failure in terms of FB (and
similar) fighting against an unstoppable tide of ignorance. It's far more
easier to see Facebook (and similarly Google with Android, for a very long
time) sabotaging the effort from the start.

A user absolutely can choose what they share with Facebook, but Facebook makes
no effort to tell you why you should edit the defaults. Instead, you have to
click an edit button, and look at a list of checkboxes, and understand what
each thing means, and double and triple check that this doesn't override your
personal privacy preferences or have some other unintended side-effects. The
default expectation from Facebook (and similar) is biased heavily against the
user, purely by virtue of it being opt out.

It depends on users not being educated well enough, and giving them a good
reason to care less about being more judicious with their profile.

~~~
darod
Actually some apps wont allow you to login if you change any of the
checkboxes.

------
underwater
The underlying issue is executing arbitrary third-party JavaScript on your
website.

It’s unfortunate that browsers and standards organisations haven’t done more
to promote safer methods of third party integration. The state of the art is
still injecting script tags into the document. Given that the web is powered
by embeds, ads, and analytics, there should be better sandboxing tools.

~~~
lllr_finger
AMP achieved this, for better or worse - the only script allowed on the page
is AMP common library and approved plugins. I wonder if the Google CDN was
removed from the equation if it would have been more embraced.

~~~
underwater
It hasn’t solved it at all. Google have whitelisted a set of first and third
party scripts. They routinely add more through a non scalable process that
seems to rely on a preexisting relationship with the company.

The analytics tag allows for arbitrary logging endpoints to be used, but that
solves one very specific use case.

I believe that they’re going to allow worker scripts in the future, but again,
that I don’t believe that will solve every case, and will be AMP specific.

------
AznHisoka
People aren't even aware that there are browser extensions that track every
single website, keystroke, and click already. The companies that do this then
sell your data for thousands a month.

I'm talking about big players like SimilarWeb and JumpShot. Clickstream
companies.

~~~
nathancahill
Isn't this the revenue model of eBates too?

~~~
arciini
As far as I know, eBates doesn't directly sell the websites you visit.
Instead, it makes money from the fees paid by "affiliates". For example,
eBates is an affiliate of Macy's. That means when you buy something on Macy's
with eBates installed, Macy's assumes that eBates is helping to get the user
onto eBates. Macy's pays eBates, and eBates pays a part of it to yourself.

As far as I know, it only sends URLs of your visits to its affiliates, but not
for other sites

------
ivanhoe
If I remember correctly you can't request access to any non-public user info
without submitting your app first for manual approval by Facebook's staff. So,
if there are FB apps out there tracking extra user info, Facebook must have
reviewed and approved them, so they are obviously OK with such usage. So it's
not an exploit of the platform, it's FB's core business...

------
JumpCrisscross
Under GDPR, would the sites that used this insecure Log-in Button from
Facebook be liable for losing their data? (I assume they could then sue
Facebook to re-imburse them for their fines, _et cetera_.)

------
1sttimeposter
Why do we not assume that the site owner has the responsibility to protect how
data is intercepted on their site? If said site owner allows their web page
user to type their email into a form, a malicious script on the page can still
intercept that data. FB assures the transportation of the data to the web page
and once the transmission is triggered, up to its delivery, then the onus is
on a site owner to govern the data. Furthermore, as an end user you have to be
diligent in what you do online. If you come across a site that asks you to
type information or log in with FB, you have to determine whether you trust
the site enough and that you feel comfortable taking the risk of exchanging
your information for the service at hand. Let’s not lose site of reality and
remove emotional bias from this conversation.

------
drpancake
Is this not the same as integrating 'Login with Facebook' and sharing my
user's profile data with a third party service using server-side API requests?
A practice that I'm sure is rife.

The third party JS scripts simply cut out the middleman, but as a side effect
the sharing is detectable.

------
cortesi
I have a project that's relevant here - netograph.io captures low-level data
on website behaviour, then indexes the data in various ways for querying.
Right now, it ingests a sizeable fraction of links on social media live.
Here's my data for the api.behavioraldata.com domain, which is the first
tracker they mention:

[https://netograph.io/datasets/social/domain/api.behavioralen...](https://netograph.io/datasets/social/domain/api.behavioralengine.com)

It's interesting that Netograph has seen this exclusively on .pl domains, and
that it hasn't cropped up again in the last month. You can do similar digging
through the dataset for all the other trackers they list.

~~~
dstjean
Quite interesting!

It would be great if we could filter the lists (eg. I just want to see html
and js)

------
the_snooze
Are there any usable solutions for end-users besides wholesale blocking of
ad/analytics/tracker services? With all this, it seems pretty reasonable to
assume all third-party elements on the web are hostile.

~~~
watsocd
Never use the "Login with Facebook" or any other 3rd party login method.
Create a separate account on the site if you need to log in.

~~~
albemuth
There's a few sites I continue to log in with facebook, I just make sure to
use an incognito window and close it when I'm done.

~~~
wheelie_boy
Same here, I always use an incognito window for facebook.

------
Ajedi32
How much of this is intentional on the part of the first-party site?

The article says:

> The following could indicate the first party’s awareness of the Facebook
> data access:

> 1) third-party initiates the Facebook login process instead of passively
> waiting for the login to happen; 2) third-party includes the unique App ID
> of the website it is embedded on. The seven scripts listed above neither
> initiate the login process, nor contain the app ID of the websites.

> Still, it is very hard to be certain about the exact relationship between
> the first parties and third parties.

But I can certainly imagine a situation where a site owner would inject a
third-party analytics script into their site and have no problem with it
including information from Facebook logins as part of the analytics data it
collects.

After all, as a site owner why wouldn't I want my analytics dashboard
(provided by a third-party) to include information like "percentage of
visitors between the age of 18-25"? That seems like a useful thing to know,
and the users who granted my site access to that info did so explicitly via a
Facebook permissions prompt, so what's the issue?

The issue, of course, being that my site's user's data is now being handled by
a third party. But I obviously had no problem with that when I decided to use
a third-party analytics company in the first place; why would that change now?

------
pizzaknife
Reading a sentence or 2 about the abstract concept of exposing yourself to
arguably unknown agents is hilariously so specific in terms of the breadth of
information you're agreeing to divulge... its not appreciated? Maybe my
tinfoil hat truly fits perfectly but if you read the grant dialogue, its
extremely clear insofar as "sign in with FB to take this super rad personality
quiz! and all we need is everything" really meant it? Im jaded i guess

------
textmode
According to a recent article[1], once an advertiser/attacker has collected a
large quantity of email addresses, she can "import [them] as contacts" on
Facebook, thereby revealing which Facebook profiles they are associated with,
if any.

The article was written by a gentleman who wrote some early code for Facebook
to do this which was later the subject of a Microsoft patent.

Would it be fair to say that once a user submits an email address to a
website, that website can locate the users Facebook profile, if one exists. No
"Facebook Login" required.

1\. [https://www.washingtonpost.com/opinions/your-facebook-
data-i...](https://www.washingtonpost.com/opinions/your-facebook-data-is-
still-vulnerable-i-know-because-i-made-it-that-
way/2018/04/13/1cf5c794-3e7d-11e8-a7d1-e4efec6389f0_story.html)

Also, the curious reader may find these interesting, regarding the ease with
which an attacker/website could learn a Facebook user's private friends list:

[https://www.telegraph.co.uk/technology/2018/04/17/facebook-q...](https://www.telegraph.co.uk/technology/2018/04/17/facebook-
quietly-stopped-apps-harvesting-users-private-data/amp/)

[https://gizmodo.com/how-facebook-figures-out-everyone-
youve-...](https://gizmodo.com/how-facebook-figures-out-everyone-youve-ever-
met-1819822691)

[https://nakedsecurity.sophos.com/2013/06/23/facebook-
issues-...](https://nakedsecurity.sophos.com/2013/06/23/facebook-issues-data-
breach-notification-may-have-leaked-your-email-and-phone-number/)

[https://www.facebook.com/notes/facebook-
security/important-m...](https://www.facebook.com/notes/facebook-
security/important-message-from-facebooks-white-hat-program/10151437074840766)

Finally, I have read that a major dating website has now removed Facebook
Login.

------
samkone
Duh ... hasn't this been going on for years now. Tealium cited in the article
uses this as one of their pain source of data collection

~~~
lllr_finger
I consider Tealium doubly in the wrong here since the appeal to some orgs is
that their tag manager allows BizDev/AdOps types to include scripts on sites
without answering to product owners and developers.

------
EGreg
Here is the only real solution:

Have a browser which intercepts requests and encrypts all of them with your
public keys, which can only be used to decrypt stuff on the client side.

Wesites would have to start indicating that they understand this new contract
and that their servers won’t understand ANYTHING.

It could be a new protocol like https but called something else such as
s[http://](http://) or encrypted://

All apps would be client side and in Javascript. Yes, servers will be
relegated to dumb boxes like in SAFE network. The business model can no longer
be about capturing your data unless you share the data with another
participant in what is essentially your web based VPN.

Any encrypted:// site can only load other encrypted:// resources so it can’t
send any info to the server via postMessage etc.

There would be no cookies. Sessions would be kept on the client side, as they
should be. Using sessionStorage.

Business logic done on servers now would be pushed to the edges, or could be
further secured by validators that you allow into your VPNs and group
activities.

People would share keys to group activities.

I am talking about somethig that breaks the current Web. No more cookies. No
more AJAX the way you know it. Files are loaded from static bundles loaded
ahead of time, before the website can learn custom information about your user
agent.

~~~
ta457482468
When the net/web was first rolling out (or my first exposure to it), I recall
thinking, "This is it, universal communication, no more
politics/propaganda/dark-ages-of-information-is-over etc".

Then we got Google, Facebook and the cadre of TLA's and criminal orgs turning
it into a panopticon and a tool to manipulate people.

I think no matter what technology or tool we create, it'll be abused because
that's the society we've created - one that encourages and rewards this
behaviour when performed by a small group of very greedy, very misanthropic
people.

------
spullara
What is hilarious about all this is that Facebook sharing any of this data
with anyone is against their interests.

------
EGreg
Our Qbix Platform has a solution to this using the existing modern web:

[https://encrypted.google.com/patents/US20120110469](https://encrypted.google.com/patents/US20120110469)

We did not continue the patent application process to the end, so you’re free
to use it.

------
known
FB should comply with
[https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...](https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#Requirements)

------
tylerhou
The title might make it sound like JavaScript trackers have collected data
which allow them to login to your Facebook account; maybe "'Login with
Facebook' data hijacked by JavaScript trackers"?

------
hackbinary
I have never trusted Facebook login. It just always seemed 'wrong' to me. It
always gave me a creepy feeling.

------
daveheq
I don't use Facebook to login with anything, so I guess I have nothing to
worry about.

------
geocar
ntvk1 is nativka [http://nativka.ru](http://nativka.ru) , now
[http://natimatica.com/](http://natimatica.com/)

------
IBM
I can't wait for PWAs to be the future of apps. /s

Apple should take the new Firefox Facebook extension and apply it by default
to Safari. But also do Google and every other major ad-tech company. Not sure
if this can be done without breaking the web though. Also not sure how
different Firefox's extension is from Safari's Intelligent Tracking
Prevention. It's possible they already do this.

~~~
nozzlegear
> I can't wait for PWAs to be the future of apps. /s

Genuine question, I don't do much mobile development: aren't native apps able
to collect just as much information as a web app/site? Except with a mobile
app you can't just open a Dev console and see what requests are being made?

Again not trying to troll, I just don't know if I'm missing something here.

~~~
cpeterso
The difference, as I understand it, is that third-party code would not be able
to snoop on user data in Facebook's native app. In this paper, the third-party
JS is able to get itself loaded on the same page as the Facebook user data.

~~~
K0nserv
No but if an app uses a Facebook login flow with the native Facebook SDK any
third party analytics that the app developer has integrated should be able to
do the same thing, at least in the case of Objective-C where powerful runtime
meta programming exists. I'm not sure about Android, but maybe Java
reflections could achieve it too?

