Trading Security for Convenience: the Case Against Logging In with Facebook
Login with Facebook is used widely across the web and on many apps to allow users a convenient and password-free way to access content. Now, Princeton researchers have found vulnerabilities in that service and other social logins like it. Daniel Davies asks whether it’s safe to log in with Facebook
If you’ve used services like Spotify, Strava and, no judgement here, Tinder, then you’re probably familiar with the ‘log in with Facebook’ feature, which is the social network’s universal login API. For the uninitiated, log in with Facebook allows users to take the profile information they originally shared with Facebook and use it to log into other sites and apps.
Convenience, easy access and fewer of those pesky passwords to worry about: there’s nothing to not like about log in with Facebook, except for the fact that, especially on lesser known websites, the feature may carry security risks. That’s the view put forward in a new research paper from Princeton University, anyway.
Researchers at Princeton found that 434 of the web’s top one million websites had third-party tracking scripts embedded into them, which could be used to get the data users give when the accept log in with Facebook, such as a user's name, email address, age, birthday and other information, depending on what info the original site requested to access.
“Facebook login and other social login systems simplify the account creation process for users by decreasing the number of passwords to remember,” wrote the Princeton researchers.
“But social login brings risks: Cambridge Analytica was found misusing user data collected by a Facebook quiz app which used the log in with Facebook feature. We’ve uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”
Don’t blame Facebook for lurking third-party trackers
What happened in this case was Facebook’s social login was running on pages that also had other scripts running. These scripts looked for the social login and took that information when it was made available. In Princeton’s study the problem was demonstrated in Facebook’s API in particular, but it’s a security risk posed by social logins generally.
“With social logins being able to bring back information about the users, bringing back a user’s name, email address and other attributes into a page makes that information available to anything else that's running within the page or within the browser. The threat is a user may be visiting a site that they trust, but that site may use multiple third-party trackers as well as the social login,” says Rusty Carter, vice president of product management at cybersecurity firm Arxan Technologies.
While this vulnerability comes at a bad time for Facebook, which currently has its hands full with the Cambridge Analytica scandal, on this occasion the researchers didn’t blame the social network directly. Instead of putting the issue down to a bug in Facebook’s API, the researchers said the problem is a consequence of a lack of security boundaries between the first-party and third-party scripts in today’s web.
“The threat is a user may be visiting a site that they trust, but that site may use multiple third-party trackers as well as the social login.”
Facebook didn’t get off scot-free in the study, however, as the researchers did point out that there are steps Facebook could have taken to prevent abuse. “API use can be audited to review how, where and which parties are accessing social login data,” write the researchers. “Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs.”
Alongside those proposals, the researchers also claim that Facebook should reconsider implementing ’anonymous log in with Facebook’, a feature the social network announced in 2014 but never put in place. That feature would have allowed users to sign into apps without sharing personal information, but Carter isn’t convinced even a solution like that would have solved the problem completely.
“The perception of anonymous is in many cases not true,” says Carter. “I can leave cookies on your browser, I can identify you via IP address, I can connect you from the people that you're friends with; the concept of anonymous in that case is suspect.”
Facebook says it is investigating the issue, and while that investigation is ongoing it will be suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages. “Scraping Facebook user data is in direct violation of our policies,” said a Facebook spokesperson in a statement to Verdict Encrypt. “[We] are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
The third parties fight back
In the end, the Princeton researchers identified seven scripts that were capable of pulling information from Facebook’s login API.
The researchers claim that these companies – OnAudience, Lytics, Augur, ProPS, Tealium, Forter and one company they were unable to identify – were collecting data that ranged from users’ IDs to their email addresses and gender. However, the researchers clarified that the company accused of collecting data on gender – OnAudience – stopped collecting this information after the Princeton researchers released the results of a previous study, which showed them abusing browser autofill to collect user email addresses.
While the researchers couldn’t say how these companies used the information they were allegedly collecting, the insinuation is that that because many of the companies “offer some form of ‘customer data platform’” the data could be used “to help publishers to better monetise their users”.
“Tealium itself does not use that data for any purpose and does not buy, share or sell that data.”
This is a claim denied by the companies we spoke to and heard from. A spokesperson for Tealium told us that it does not use Facebook data in the manner described by the researchers and is currently seeking legal advice.
“Tealium's software is used by companies to manage their own user data, and Tealium itself does not use that data for any purpose and does not buy, share or sell that data. Tealium is a strong advocate of customer data privacy, strong data governance, and transparency,” said a Tealium spokesperson via email.
In an interview with Wired, James McDermott, CEO of Lytics, said that companies like his create software and tracking tools that websites can use to find out information about their customers, but this didn’t extend to sucking information out of Facebook’s API. "In no case have we seen that deployment," McDermott said to Wired.
Moving from free to paid for protection
The simple answer to not getting caught up in the controversy and leaking personal information to third parties would be to avoid using social logins like log in with Facebook.
Anyone who has tried to extricate themselves from the service will know it’s no easy task, but, as Carter points out, when you use a free, social login you are really trading security for convenience.
Instead of maintaining this paradigm, Carter advocates for moving away from the free model, and suggests users use tools like password managers to keep track of their various logins because ultimately the free services are there to profit from users’ data.
“Those services are provided as a convenience to you so those businesses can make money off of knowing where you're logging into,” says Carter. “There's a choice that consumers make, they certainly carry some responsibility for protecting their own information. The choice between using a social login because it's convenient and free, or perceivably free, or paying a small amount for a password manager, that's a very simple way of both having a more secure login and also protecting your information more effectively. There is no free lunch, as the saying goes.”
Image courtesy of Roman Pyshchyk / Shutterstock.com