Using Login with Facebook to more easily access other Web sites can reveal your Facebook data to other companies that partner with those sites, a team of Princeton researchers has found. Released yesterday, their research also discovered that some hidden third-party trackers can use the login feature to deanonymize users' Facebook profiles for advertising purposes.
The study is just the latest development in the ongoing scrutiny of Facebook's data security and privacy practices, following whistleblower reports about social media-based misinformation and manipulation in the leadup to the 2016 U.S. presidential election.
According to the latest estimates, the data of more than 87 million Facebook users was improperly accessed by the political consultancy Cambridge Analytica, which worked for President Donald Trump's campaign. Meanwhile, another security research team reported yesterday that 48 million records scraped from multiple social media sites ended up being publicly accessible online after the company gathering the data misconfigured its storage on Amazon Web Services.
'Lack of Security Boundaries'
Many Facebook users take advantage of the social media giant's login capabilities to access other Web sites without having to create and remember separate usernames and passwords. However, Princeton researchers Steven Englehardt, Gunes Acar, and Arvind Narayanan reported yesterday that using Login with Facebook opens up users to two vulnerabilities: third parties on other Web sites that can abuse that access to Facebook data, and third parties that can hijack Facebook data to track users for their own targeted advertising purposes.
"This unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature," Englehardt, Acar, and Narayanan wrote yesterday on the Freedom to Tinker blog hosted by Princeton's Center for Information Technology Policy. "Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web."
The researchers said Facebook and other social media platforms could prevent such abuse by auditing the use of APIs (application programming interfaces) that access users' login data, or by using app-scoped user IDs instead of global user IDs for logging in to other sites. "It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago," they added.
Englehardt, who is also a privacy engineer at Mozilla, published research with Acar and Narayanan last year showing how "session replay" scripts enable some third-party companies to record practically everything users do while visiting their Web sites.
Profitability of Data Requires Responsibility
Third-party access can also put the data of social media users at risk in other ways, as the software security firm UpGuard reported yesterday. That company's Cyber Risk Team found that an Amazon Web Services misconfiguration by the data search service LocalBlox exposed the data of millions of social media users online.
Scraped by LocalBlox from Facebook, LinkedIn, Twitter, and other sites, the 48 million records included names, physical addresses, dates of birth, Twitter handles, and more -- 1.2 terabytes in all. On Feb. 18, UpGuard researchers discovered that information was publicly accessible and downloadable via a misconfigured storage bucket on Amazon Web Services. UpGuard said it notified LocalBlox about the exposure on Feb. 28, and that the storage bucket was secured later that same day.
"With this kind of business interest in data harvesting, processing, and resale, it should be no wonder that so many massive and intrusive data sets exist in the world, providing companies and political parties with detailed blueprints on how to influence people," UpGuard noted. "What should be a wonder is that these datasets aren't better secured and administered. This exposure was not the result of a clever hack, or well-planned scheme, but of a simple misconfiguration of an enterprise asset -- an S3 storage bucket -- which left the data open to the entire Internet. The profitability gained by data must come with the responsibility of protecting its integrity and privacy."
Last week, Facebook deleted nearly 120 private discussion groups with a total of more than 300,000 members after security writer Brian Krebs reported finding numerous Facebook terms of service violations by those groups.
"The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools," Krebs wrote Monday. "Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years."
https://www.newsfactor.com
No comments:
Post a Comment