Hacker News new | past | comments | ask | show | jobs | submit login
If you care about user privacy, don’t use Facebook JavaScript SDK (simplelogin.io)
240 points by emmaglossy on Nov 25, 2019 | hide | past | favorite | 100 comments

I thought this was more commonly known... In terms of understanding browser history, The Facebook like button and Google's ad pixels and Chrome web browser are perhaps the biggest offenders. I'd argue that they were specifically created for the express purpose of collecting more user information - for better ad targeting and whatever else

Original article from Dev.to: https://dev.to/simplelogin/if-you-care-about-user-privacy-do...

I've recently implemented authentication for my project and I would just like to say to all the relatively amateur programmers out there: for web based authentication just stick with HTTPOnly SECURE cookies with DB backed sessions that you can revoke.

The reason I'm saying this is that there's way too many posts talking about JWT (which isn't suitable for newbies), Oauth (which is more useful if you have separate authentication and resource servers) and other token based mechanisms which are what cookies are except more suitable for non web based clients.

I don't think that storing creds is suitable for newbies either. All authentication is complex and just using HTTPOnly and DB backend is not a solution at all.

I'm generally allergic to "let the Big 5 run your services", but I have to admit that "sign in with Google" looks like a major improvement on "hand PII to whoever tried to home-roll auth".

With a password manager and careful shepherding of your PII, maybe there's not much risk; if someone takes over the site your account is compromised either way, and nothing else is lost. But most people don't actually use password managers, and lots of sites that accept Google sign-in require lots more data to actually create an account on the site. (Plus, losing password stores is not necessarily the same as losing all control.) Newbies storing creds is a perennial source of leaked credentials that get used to attack more important sites.

Depends on what the project is and also doesn't change the fact that this doesn't happen.

Most solo bootstrapped projects are not popular enough initially for someone to spend money / effort to hack them. When they do become somewhat popular though (very small minority of course), I suspect most founders bring experts on board, as they absolutely should.

> just using HTTPOnly and DB backend is not a solution at all

My comment was not meant to be exhaustive and does not list all vulnerabilities. Just in context of some of the suggestions in the article. Using a mature framework like Django can protect you from other vulnerabilities CSRF, XSS, SQL Injection to some extent.

>most founders bring experts on-board

You have way too much faith my friend. How does bringing an authentication and security expert into your organization make you more money? It doesn't. What people like this tell you change is all cost and only hypothetical benifit. I suspect this doesnt happen anywhere near as much as it should.

You don’t bring “experts” on board. Most of them really aren’t. At most, you find a third party trusted managed service.

I work in mostly the B2B space where we integrate with their Identity Providers (active directory, Okta, etc) and strongly discourage them from using our internal authentication system so they have to take responsibility for their own security.

If I were working in the consumer space, I would personally use AWS’s Cognito since that’s what I’m familiar with and it integrates with everything - Google, Facebook, Twitter, Apple, Amazon etc.

I’m sure there are other services that serve similar functions.

Hey, I meant to reply on your other comment asking for third party trusted services.

Thanks for listing some, will look into them!

Auth0 is another.

>Most solo bootstrapped projects are not popular enough initially for someone to spend money / effort to hack them.

Strong contender for Most Horrifying Thing I've Read This Morning.

It's good practice to consider the likelihood of attack in your threat model if you care about the expected payoff associated with your security efforts.

When that threat model necessarily includes bored script kiddies and automated APTs?

Exactly. Like if user privacy does not matter but just cold cash. Thanks to statements like this there is GDPR.

A relatively simple solution is temporary sign in tokens via email. Encrypt and timestamp in the database and pick a TTL (the shorter the more secure, the longer the more convenient). Then just email a login link with the email and token as params. Perform auth lookup on email, then secure compare the tokens (in constant time to avoid timing attacks).

You now have an auth system that avoids horrible passwords (no passwords).

The downsides are: 1) Cost to send emails for login, 2) People complaining about it being weird.

Worth it in many cases.

I think even when integrating a social login, a developer still needs to create a secure cookie and has "user" table in his/her database. Using social login is rather a convenient option for users as they don't have to create a new account.

Sure, but the stored credential is not reusable in another context. Which is not true for the majority of passwords. As a bonus, the authorization is probably also revocable via the external identity provider, although that's more about service-to-service permissions than account compromise.

This is a bad piece of advice. Two things I don’t ever want to take responsibility for when starting a project are user authentication and payment processing. I think I know best practices for each, but so does everyone who has gotten hacked.

I don't disagree with you, but the state of affairs is basically a protection racket. If you sell out your users to Facebook, they'll keep you safe from all the other attackers.

Most frameworks come with their own authentication module. I still wouldn’t write my own.

I get the motivation of what you're saying - but I'm going more towards splitting the back end from knowing too much. Do authentication in a proxy layer (can deploy as a sidecar if suitably containerized) and then have a bearer token between the proxy and the app server. Yes it's a lot of "architecture" for a newby but it generalizes well to the byzantine Oauth cases without requiring too mach app rewrtiting and this kind of service split is pretty do-able given a Paas.

Do you think that registration can include solutions like Github? I am not sure how to handle after. Login with the 3rd party would trigger a http only secure cookie creation and insertion into the db? I want to avoid JWT and co. especially after watching so many videos about the downsides and the potential security implications.

Yes, I'm in favour of using Secure Cookies for authentication.

But, the TDD (Trend Driven Development) people won't agree with them. They want to work with those shiny trends for a shiny resume. JWT is horrible for the web, it need JavaScript, some needs Local Storage, which is worse than Cookies itself, and the revocation is complex.

> If you care about user privacy, don’t use Facebook.

Fixed that for you...

I was going to say the same thing, only in the form of "Duh". Also in the news today, the sky is blue, grass is green, and fire is hot. How in 2019 would any developer believe that any social platform cares about privacy is beyond me. If a social platform is offering anything (the platform itself, SDKs, APIs, etc) for free, then they are going to make money from you some other way. What ever they are offering cost them money to develop, but they did not do that as a charity. This maybe a bit preaching to the choir, but that's how you get the choir to sing. Plus, maybe someone new reads this.

Indeed obvious to some but necessary to hammer until everyone gets it — especially the business types who make decisions, as new devs themselves would quickly grow to learn this.

> What ever they are offering cost them money to develop, but they did not do that as a charity.

True! Yet... I keep thinking about `http` (the protocol), or Apache, IRC, and countless other software techs that were just 'given' to (and are maintained by) the world, courtesy of their makers, and/or bodies like IETF work groups, etc.

Case in point: "social" is basic at an elementary level (it's just CRUD, over-the-network), but at scale becomes insanely costly. The limitation/exclusivity factor thus doesn't seem to be software magic but rather infrastructure, piles of money, before sustainability or profitability come into play. This is what the monopolies stem from, only compounded by some Meltcafe/"network" effect (friction to switch, passive positive peer pressure inwards, passive negative outwards).

So in thinking of an alternative future path for social tools (SDK) and meta-tools (platforms, interop, work groups, etc), I think it's worth considering the infrastructure problem first. My money is on distributed and (partially but 'enough') decentralized systems (think bittorrent, tor, even DNS fundamentally), but regardless it belongs to the wider category of mutualization of resources (cloud vs on-prems debate, E2E crypt, etc). The solution must be preferable in terms of cost otherwise it's just not gonna happen.

> True! Yet... I keep thinking about `http` (the protocol), or Apache, IRC, and countless other software techs that were just 'given' to (and are maintained by) the world, courtesy of their makers, and/or bodies like IETF work groups, etc.

The difference here is that the social platforms have been developed as a for profit company. Granted, FB has improved some of their underlying technologies, and released them back to the public in the way open source is meant. I do give them credit for that. However, the SDKs and APIs etc are direct work made by the platform. These tools are made specifically for interacting with that platform. They have every right to monetize that work. While some of us (at least I do) believe their method of making that money is super shady/unethical/etc, it is their business model. Other companies like Apache, Redhat, etc also offer us free things to use/play with while monetizing their enterprise/support services. A much more ethical method in my opinion.

You're totally right. I agree, and wasn't disputing these facts indeed. Just thinking out loud I guess...

> Other companies like Apache, Redhat, etc also offer us free things to use/play with while monetizing their enterprise/support services. A much more ethical method in my opinion.

Totally, this general business model can get as close as it gets to sustainable open-source. It seems hard to pull off though, lots of dead startups and projects out there, despite a few resounding successes.

Every internet company ever since 2010.

2010s: "We take your security very seriously."

2020s: "We value your privacy."

Except for the shadow profiles that they make of the 'non-users.'

Whether you like it or not, Facebook et al are tracking you regardless if you have an account.

This is why Firefox' container for FB is a good idea.

Zuck even got asked about shadow profiles in his senate/congress hearing and he meekly weaseled out of answering by saying "I'll get my team to get back to you on that.". Translation: "I know the answer but telling you will destroy what's left of my reputation, and if I lie to you I risk perjuring myself and jail time.".

He also rattled something along the lines of "there's this thing called cookies", and the peanut gallery on Twitter misunderstood that deflection as him explaining to old senators what cookies are...

The last two words of the title seem rather superfluous.

Sometimes you don't really have a choice if all your friends and family use Facebook...

No. Really. You do have a choice. Exercising unpopular choices frequently requires a spine.

Individually, you have a choice. But not using e.g. WhatsApp needs to be a collective decision or it won't work because everybody else is still stuck in there.

There is no such thing as a "collective decision". There is only the decision of each person. Any movement to quit these sickness-inducing manipulators has to start somewhere otherwise you end up like those Buddhists who won't enter Nirvana until all other creatures are also ready to enter Nirvana, so they all end up hanging about outside the gates (as it were...), forever waiting.

The decision to be the first,... to lead,... to tread without trepidation where others fear to go,... that's what I called growing a spine. "Won't work because everybody else is still stuck in there" is simply an expression of that fear.

Let's say you run your own mail server. How much privacy do you really gain if 99% of the mail that comes in and goes out passes through Google servers? It doesn't matter what you do by yourself. You just can't expect everybody to run their own mail server. I run my own mail server, and while I'm happy to be self-reliant, it's hardly a win for my privacy (also, mail server administration is a pita).

Same goes for every other communication tech. Just because your endpoint is not spied upon, if every other endpoint is spied upon you gain nothing. If you don't use WhatsApp, but all your friends use WhatsApp to talk about you then you gained nothing.

If you really believe there is no such thing as collective decision-making then imho you already gave up in the fight for privacy.

But even if we boycot Google and Facebook, they are not the main problem. Their business model is the main problem. Spying on your users, training predictive models, and using those models to exploit people is simply too profitable, and therefore too attractive for any profit-seeking company to ignore.

Until we solve that problem by deciding as a society that these business models are not ok, this 1984-like world we currently live in will be our reality.

You're acting like we can't use multiple systems, or that people care if they can interact with us...

I know some of this is regional, but despite the myriad chat services, I quit them all and have been doing just fine with email and SMS. Can't use phone numbers since it's all spam all the time, tho.

On the other hand, you could be the first among your family/friends to not use FB's products, and slowly others will follow.

I explicitly told everybody that I turned off messenger notifications on every device and uninstalled facebook from my devices years ago. If they want to reach me they can use Signal, Telegram or Keybase. Interestingly enough even my mother (in her 70s, no idea about computers) can use Telegram without a hickup. I guess it is a matter of dedication to push your peers off from Facebook.

> If they want to reach me they can use Signal, Telegram or Keybase.

Maybe even... gasp SMS. Or "telephone".

SMS can be intercepted and read by essentially every country in the world and many criminal groups because of how flawed the protocol is. While smaller countries can't do mass ingress and automated analysis, they can still input your number into a system and then see what you text.


Sure but there are places like Berlin in Germany where network coverage is absolutely broken. Wifi works though. This is why the preference over SMS/GSM call.

WhatsApp is almost certainly safer and more privacy respecting than Telegram.

Telegram uses highly nonstandard cryptography (the founder hired a bunch of math competition winners and told them to design encryption from first principles), doesn't have E2E by default (unlike Whatsapp), and is owned by a quite sketchy Russian oligarch who started spending on democracy-related causes after a falling out with Putin.

Telegram uses dubious encryption and lies about their business (for ex calling themselves a nonprofit when they aren't), and they retroactively retracted and then narrowed their bug bounty program.

WhatsApp hired the company behind Signal to help them implement Signal's encryption protocol.[1] While it's not as good as Signal because it's not open source and thus can't be independently verified, if Facebook deliberately lied about the security of a product used by governments around the world they would face serious consequences.[2]

See for example previous discussion [3].

For a detailed analysis of the flaws in their protocol, see [4]

1: https://techcrunch.com/2014/11/18/end-to-end-for-everyone/

2: https://www.nytimes.com/2019/10/26/world/asia/afghanistan-wh...

3: https://news.ycombinator.com/item?id=15281788

4: https://www.cryptofails.com/post/70546720222/telegrams-crypt...

WhatsApp calls and messages were used by Facebook. The point is that even Telegram does the same they have much less data about me that they can use. It is a good enough replacement of SMS and GSM calls even with broken crypto. For sensitive communication I would definitely use Signal or Keybase instead. Those are the tools that we use for work related things like software development. Keybase is actually pretty amazing. I think even the crypto backing it is solid.


> WhatsApp calls and messages were used by Facebook.

If that's true that would be extremely serious, given that Whatsapp promises end-to-end encryption

> WhatsApp end-to-end encryption ensures only you and the person you're communicating with can read what's sent, and nobody in between, not even WhatsApp. Your messages are secured with locks, and only the recipient and you have the special keys needed to unlock and read your messages. For added protection, every message you send has an unique lock and key. All of this happens automatically: No need to turn on settings or set up special secret chats to secure your messages.

> Important: End-to-end encryption is always activated. There's no way to turn off end-to-end encryption.


Source please?

That's a serious issue I wasn't aware of. Do note however that for this attack to work you have to not notice a user you don't know added to your group chat. Nevertheless, this is much more serious than I knew.

> WhatsApp is almost certainly safer and more privacy respecting than Telegram.

I doubt this because WhatsApp is Facebook.

FB is bad, but Telegram has managed to be even worse, which is quite the accomplishment. Their crypto is fundamentally unsound, and their business practices dubious and unethical. See the links I posted.

You might be right -- I don't use either of them, so my interest in precisely who's worse is limited. Your argument leads me to think that they both should be avoided. In any case, regardless of whether or not Telegram is OK, nobody should be using Facebook products.

Isn't that choosing to be part of the problem then?

Why would any developer or engineer who has even an iota of consideration for privacy, web standards, and, indeed, humanity want to work for such a repugnant company as Facebook?

Repugnant is entirely your opinion and there are lots of people who disagree with you. It might be an amazing opportunity for some.

I think willingly abusing user privacy for profit and lying to your government makes using the word “repugnant” pretty quantifiable.

How are they abusing privacy? Because it doesn't align with your views of privacy that constitutes abuse? You may have an expectation of privacy and we can argue whether or not that is valid. (not really IMO, facebook doesn't owe you anything for using their service. What a private company does with their service is really not abuse)

Lying to the govt. is pretty vague. What lie in particular are you referring to?

I think the original statement included this detail:

> engineer who has even an iota of consideration for privacy

I think it isn't hard to say current practices in tech willfully deceive users about the usage and the value of their data because that would be orthogonal to their business interest.

I think framing it like that is vastly more honest. Not down-playing expectations of privacy.

OK, but by this definition of "willful deception" all social media companies and related engineering jobs can be lumped into a "repugnant" category?

I think that is reductive of engineers opinions for one, and over-stating the behavior of these companies. How are people being deceived? Are they being lied to in the privacy agreements? That would be obviously deceptive and I can agree they should be transparent, but it's very public that data is part of the revenue generation for these places nowadays.

I think if people just expect to have a free service and give nothing up in return that isnt really a reasonable expectation anymore, so I don't find it deceptive or repugnant. Maybe there is an alternative where social media platforms don't rely on personal data and advertisements and I'd be all for that, but it doesn't exist now.

> facebook doesn't owe you anything for using their service

I do not use their service, and yet they stalk me around the web, with countless tracking pixels and like buttons, assembling my shadow profile. Yes, they are abusing privacy as much as real-world stalkers are.

So the websites you visit use their service then?

Justified opinion argued for with evidence. Like your unjustified opinion isn't. You can remedy that if you want to make your case properly though. Please do.

Because a lot of people aren't privileged enough to be able to quit their job on the spot.

I would argue that at least engineers working at Facebook likely have the monetary means to change jobs.

OP never said anything about quitting on the spot. The question was why would one go to work for such a company knowing, as one must these days, how vile that company is. Another facet to the question is why wouldn’t one look for and take another job after they realize how disgusting a company like Facebook is?

Probably makes them more money I gues.

I wouldn't personally – I'm about as anti-Facebook as it gets, but a lot of people (especially people not coming from a "tech" background) don't really appreciate the kind of shit Facebook pulls.

Pretty sure working for facebook is proof or that you are in the upper 1% worldwide.

Except for all those moderation jobs, and everyday office jobs, oh wait are they just people too and not "1%ers" ???

Yeah they aren't facebrick employees - according to facebrick. To really screw people working for you hire a contracting service to be the pointy end and do the thrusting for you. Every single thing about facebrick is absolutely vile. Nobody has yet considered all the dimensions in which they are repugnant. The more you find out the more sick you feel.

Not a FBer myself, but I do know that people do worse things for less pay.

Features, userbase, talent; the same reasons a developer or engineer would work with any company.

Let's play a game; how many degrees separated from Facebook is HN and YC? You go first, take a guess!

I can't be certain how many degrees separated the two are, but I have established a lower bound on the answer

Let d:(x,y)->n be the degrees of separation between x and y. Since d(x,y)=0 implies x=y, and we know that FB and HN are not identical, we have d(FB,HN)>0.

Then, since d takes integral values we know that d(FB,HN)>=1 in any case.

"They are not the same company" is, while true, not a guess. Come on, take a real guess! When was the last time Zuck spoke at YC? When was the last time YC worked with Facebook? How many of the folks at YC either come directly from Facebook or have invested in Facebook at one time?

Your hands aren't clean here, if you actually cared about avoiding Facebook at all costs, you wouldn't be here. The fact is, you don't (nor should you).

That brings up the question : does Facebook get any less information because you used a 3rd party OAuth library to authenticate from FB, instead of using FB's own SDK which injects an iframe?

The point of the article was that Facebook gets information on not only those who are using Facebook to login, but those who aren't, because the "Login with Facebook" button is an iframe when using the SDK.

OAuth does not have this issue.

If you choose to login with Facebook, it is implicit that Facebook receives information.

Less information? maybe! but still they will know what website/app you logged in to.

Article author and SimpleLogin creator here. Surprised and happy that my small rant at Facebook got so much attention from HN!

I wanted to give a bit of context on this article, the story is a bit long though and there was no TLDR.

Here it goes: I wanted to protect my online privacy and having worked in advertising before, I know that user email, in addition to the cookie, is usually the common denominator to cross-reference user data. I tried, therefore, to generate a random email whenever I signed up on a new website via temporary email services like temp-mail but there are 3 issues: a. I can't remember which email I used. This problem is alleviated with password manager though. b. No way to reset password later as the email is already expired. This is also not fair if the website happens to be a good (aka not spammy) one and just want to contact me. c. The flow is unbearable: I need to go to temp-mail, generate a random email, go back to the website, check temp-mail for the activation email, etc.

I dreamt to have a universal login button, like the "Login with Facebook/Google" one but without all the tracking and that can generate a random email at runtime. So SimpleLogin was born.

When creating SimpleLogin SDK, I tried to reverse-engineer popular SDKs like Facebook and Google to learn from them and discovered their not-very-ethical approaches. I haven't found any article talking about these practices so I decided to write one up.


I want to be as transparent as possible about the technology I'm using so if anyone has any questions, please feel free!

Tangentially related: is there any reason to be suspicious of/careful with react/redux? We've been using it internally for front end stuff, would be nice to know if there's any weird default tracking going on, however unlikely...

I don't think so. If you serve the library yourself (don't use an external CDN to load it) there shouldn't be any connections to 3rd parties, at least I've never seen one in the 'network' tab of my browser's dev tools.

Also, I want to believe that, being open source, people would already discovered something fishy.

There's no issue with using those. Facebook tracking end-users via libraries would be extremely detrimental.

The moral of the story is that any time your page requests resources or javascript from a third-party source, you are handing over some information about your users to that third-party.

Did you get your user's consent to do that? Probably not.

I've always tried to get rid of it in the native apps I built in favor of the web based login. It's absurdly big in terms of added download size for a login screen and usually used once. Even with the native SDK it's still a jarring experience in most apps and if you pre-cache the screen it's about as instant as the native implementation. And you app starts don't get tracked every time.

Heise offers a privacy friendly alternative (German) called socialshareprivacy :


Never used it. As much as i don't like user account as a concept, and don't like implementing it either, implementation of any Oauth, Facebook login or any other is just nightmare. No users no problem i guess :)

Alternatively, only use SDK in login page, and keep the login page separate, or use a click even to load it. And after login is done, you no longer need to load the SDK ever again.

If you care about user privacy, don’t use <any> Facebook SDK.

Who cares what I care about, the real question is what do my users care about.

It all depends on what users will tolerate in the name of convenience.

As pointed out in the article, not using the SDK does not preclude authenticating with a Facebook account. It just requires a bit more work on your end to protect your non-Facebook users.

So it does come down to what you care about.

"Don't use" and "only use for people who actively opt-in" are two separate things, so no it doesn't come down to what you care about.

I'm saying give people choice, let them figure out what they care about. Making the choice for them is bad business and bad ethics. You don't know better than your users.

Non-Facebook users are unable to opt out of Facebook tracking if you use the Facebook sdk. That’s the point of using the oauth standard, it allows those users a choice not available with the sdk.

You can choose to load the SDK or not, e.g. only when the "Log In With Facebook" button is pushed.

A little bit of research indicates that this is still a non-trivial amount of work from the developer; that the developer has to make the choice to protect the privacy of their non-Facebook users by dynamically loading the Facebook SDK.

If you think deferring ethics to the customer clears your conscience, you need some self examination.


The problem is practical; do your users want the features or do they care about privacy? Let them make the choice, and don't hide it from them. That's the ethical behavior.

It's unethical to assume everyone values everything the same, including privacy. Some people don't care about it as much as you do, nor should they.

Okay, should I assume you dont value yours? Privacy is a human right. There is no ethical argument for depriving humans of their rights.

If you want to argue that privacy is not a right, we can start there.

There's no ethical argument for depriving someone of food but people fast all the time. Further, the war crimes my gym trainer is guilty of know no bounds!

You can give up your "human rights" for convenience/pleasure as long as you can reassert them down the line.

Fasting and training are both conscious deliberate choices - how will you frame the loss of privacy in such a manner that it can be agreed to with the same degree of intention? Most people have no idea and don't understand - if you wanna go with the "opt in" solution, you're going to have to make a compelling argument that the people making the decisions are educated enough to make them.

The same way a trainer or doctor frames the health risks involved; you explain it and hope people are listening.

Signing in via Facebook is also a deliberate choice.

Given a hospital patient who doesn’t value taking care of their health, should it be ok to administer X-rays without concern for radiation exposure? If the patient doesn’t care, is it ok then?

Given a person who doesn't like their nose, should it be okay to provide cosmetic surgery to that person, despite the risks any surgery comes with? If the patient doesn't care, is it ok then?

Given a person who wants to jump out of a plane, should it be okay to let them, even though it's a relatively high-risk activity? If the jumper doesn't care, is it ok then?

Given a person who wants to run for national public office, should it be okay for them to release their prior year tax returns, even though it's an exposure of their privacy? If the candidate doesn't care, is it ok then?

Turns out, this isn't an easy game to play, so stop trying to decide for others what they want for themselves. You don't know their situation.

They’ll tolerate a lot if you’re providing enough value. They’ll even tolerate giving you their money if that value is high enough so why wouldn’t they tolerate having to not use a social login?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact