back to article Facebook's login-to-other-sites service lets scum slurp your stuff

It's possible for miscreants to secretly extract people's personal information via Facebook's Login service – the tool that lets you sign into websites using just a Facebook ID. Readers will be familiar with Steven Englehardt, a Mozilla privacy engineer who pursues privacy research for his PhD at Princeton, whose work on …

  1. Anonymous Coward
    Anonymous Coward

    How Facebook Executive Scum help Scum outside FB

    How Facebook Helps Shady Advertisers Pollute the Internet:

    https://www.bloomberg.com/news/features/2018-03-27/ad-scammers-need-suckers-and-facebook-helps-find-them

    1. Anonymous Coward
      Anonymous Coward

      Re: How Facebook Executive Scum help Scum outside FB

      It's a depressing read, that bloomsberg article and, as a Pole, I'm pretty embarrassed that such shitheads make the news :/

    2. Anonymous Coward
      Anonymous Coward

      The article bottom line: "It just sucks money out of the poorest people."

      That's what they aim for. That's an industry that doesn't create real value, just destroys it.

      It's strange how people loathe companies like Microsoft or Oracle - which in many ways deserve it, but at least, actually created real products for real needs - while they're still in awe towards companies like Facebook which are built from the ground up to take advantage of them exploiting their weaknesses, in exchange for some candies.

  2. fidodogbreath

    And is anyone here surprised by this?

    Anyone at all?

    [crickets]

    1. Hans 1

      Re: And is anyone here surprised by this?

      Yes, mongodb.com ? Where is the facebook login thingy on that ?

    2. Keith Langmead

      Re: And is anyone here surprised by this?

      Not in the slightest, though it's nice to see my constant avoidance of the "login with your Facebook/Gmail" option for all these years has now been justified. Yeah, no thanks, I'd rather have a separate and unique login for each individual website!

      1. VinceH

        Re: And is anyone here surprised by this?

        Facebook: The site that keeps on giving...

        your information away.

      2. Vector
        Facepalm

        Re: And is anyone here surprised by this?

        "Not in the slightest, though it's nice to see my constant avoidance of the "login with your Facebook/Gmail" option for all these years has now been justified. Yeah, no thanks, I'd rather have a separate and unique login for each individual website!"

        Yeah. You know that thing where they say don't use the same username and password for multiple sites...

  3. Anonymous Coward
    Anonymous Coward

    The only Facebook news worth reading anymore is what Facebook tell their 'real' Users:

    https://www.facebook.com/business/a/performance-marketing-strategies

    https://www.jandlmarketing.com/blog/how-facebooks-latest-announcement-will-impact-your-ad-targeting/

    1. JohnFen

      Re: The only Facebook news worth reading anymore is what Facebook tell their 'real' Users:

      I've been reading the various internet advertising industry websites just to see their reaction to the greater awakening that people are having to Facebook (and, by extension, all other internet advertising companies).

      The level of contempt the industry shows for the people they're advertising to is truly astounding. It rivals even the level of contempt that you regularly see from Silicon Valley. But then, I'm increasingly suspecting that there's little actual difference between those two groups.

  4. Anonymous Coward
    Anonymous Coward

    Jeez

    Is there anything Facebook does that doesn't take the worst privacy-invading option?

    The Login facility only needed to pass some form of unique ID (generated on the fly) by Facebook in order to achieve what the users think they're getting. Do any of them realise that Facebook has gone beyond this and given up their profile details (ie who they are)?

    The first example (details accessed from a local database) is dodgy but, I suppose, not illegal. The second example, where the iframe is used to make another call on Facebook, looks suspiciously like an unauthorised access.

    Scum, the lot of them - and that includes any site that goes beyond mere authentication and grabs profile data.

    1. Anonymous Coward Silver badge
      Unhappy

      Re: Jeez

      The problem is that people expect to be able to login using their FB profile and then the service know their name, possibly DoB and other details.

      That's part of the whole SSO mentality - it's their 'profile' across all of the services they use, not just an authentication thing.

      It's also the reason that I go to the effort of creating an account on each service and not using some third-party authenticator,

      1. JohnFen

        Re: Jeez

        "That's part of the whole SSO mentality - it's their 'profile' across all of the services they use, not just an authentication thing."

        This.

        SSO is, mathematically, a decent idea. However, it was coopted very early on and turned into something that decreases security rather than increases it.

    2. Doctor Syntax Silver badge

      Re: Jeez

      "Is there anything Facebook does that doesn't take the worst privacy-invading option?"

      Good question. Facebook wants to know the answer so they can fix it.

  5. Anonymous Coward
    Anonymous Coward

    Hmm, one of them has a banner...

    That says: "Lets build a better, neutral, and free Internet together

    https://urlscan.io/result/8d4663cf-9f09-4ff4-b17d-bc086644ee77/content/

  6. werdsmith Silver badge

    Facebook are also holding ransoms on information now.

    If you have a limited company, for any reason such as being a contractor facebook will slurp it off companies house and put up a holding page for you complete with map and directions to its location. They will also put the business on the crowdsourced verify list bringing to the attention of loads of faecebook users.

    If you want them to take it down you will have to "verify yourself" by sending them copies of official documents.

    So they will hold an unauthorised page whilst demanding more slurp data as a ransom.

    Heinous organisation, and we have all those bottom-feeders who sustain it to thank.

    1. Hans Neeson-Bumpsadese Silver badge

      Facebook are not alone in doing this. When I do a search on Google for the name of my company, I get a plethora of websites with an info page based on data scraped from Companies House.

      1. Prst. V.Jeltz Silver badge

        Well i guess that is public information , you shouldnt get too upset if some of the public know the info.

        nor should you get too upset if some of the public are trying to sell that free public info to people.

      2. Doctor Syntax Silver badge

        "When I do a search on Google for the name of my company, I get a plethora of websites with an info page based on data scraped from Companies House."

        Much the same here for a company closed 10 years ago. And for take down in some cases their required information is more than required, e.g. email address and telephone number. Could be fun coming up in a month or so.

  7. Franco

    Hey, at least Facebook aren't trying to get everyone to agree to facial scanning as well.

    Oh, wait.....

  8. anonymous boring coward Silver badge

    What Englebardt discovered is simple: “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”

    OMFG!

    At least I never trusted FB from the very beginning.

  9. anonymous boring coward Silver badge

    The road to hell is paved with questionable intentions..

    1. Doctor Syntax Silver badge

      "The road to hell is paved with questionable intentions"

      And in FB's case, questionnaire intentions.

  10. imanidiot Silver badge

    This

    This is exactly why I don't use "social" media sign-on. Anybody with half a brain could/should have seen this one coming imho.

  11. Anonymous South African Coward Bronze badge

    By implication this also extend to Google and others... or am I wrong?

    1. 100113.1537

      Yes...

      And that is why the current all jump on Facebook campaign is so ridiculous. Google, Apple, Yahoo etc (I am sure there are more) all do this. It is the quid that they get for the quo of making life simple for users.

      I personally find it amazing how little effort most people seem to want to make to get to read their email, log in to websites etc., but this is what has become the norm: A single log-in to access all of your on-line profiles and actions. Consequently, I find it hard to support the outrage when one company is found to have then used this feature for some other purpose. As far as I am concerned, this is how the company can provide you with these services for no fee (I won`t say free, because it clearly isn`t).

      I also find it hard to get upset when a government agency also has access to data which people have willingly given to a private company, but that clearly marks me out as some-kind of apologist for something or other (apparently) so you should probably ignore everything I write.

      1. JohnFen

        Re: Yes...

        "And that is why the current all jump on Facebook campaign is so ridiculous."

        It's not ridiculous. All of the other companies you've mentioned have been lambasted for their wrongdoings before, and will be again. It's just Facebook's turn right now.

        And there's nothing wrong with that. "Everybody does it" is a defeatist line of thinking that only helps to ensure that this situation won't change. But when one of these companies gets into the public eye, that's an opportunity to pound the lesson home for that company, and makes it easier to pressure the other companies when their turn comes around again.

        1. Franco

          Re: Yes...

          I agree, it's not ridiculous at all to point out the shortcomings of these companies.

          Facebook are probably the least apologetic about it, particularly as they are clearly using users to track the behaviour of non-users, but Microsoft, Apple and Google are all at it to greater or lesser degrees to name just a few

          1. Anonymous Coward
            Anonymous Coward

            Re: Yes...

            Sadly Google and Microsoft (LinkedIn) also use users to track non-users (address book uploading, email content scanning, etc).

    2. JohnFen

      You are not wrong. Facebook is the poster child right now, but the rot goes far beyond just them.

  12. Abbeyon

    The federal government of the United States collection as much data as Facebook... and has the ability to enter your house with guns. A sociopathic narcissist running a company is just a rich asshole. A sociopathic narcissist running a country is the source of some of the worst catastrophes in human history.

    1. Anonymous Coward
      Anonymous Coward

      "and has the ability to enter your house with guns"

      If someone was trying to kill me I would welcome a policeman with a gun... and as long as the government collects needed data to deliver needed services, where's the problem? And, besides NSA & C. illegal-but-somehow-approved snooping, probably the government knows less about you than Facebook. Do you report it everytime you go on travel or vacation?

      Also, the problem is not in companies collecting the minimum amount of data to deliver product and services. The problem i data harvesting, and their processing for specific targeting, especially to exploit the weakest ones.

    2. JohnFen

      I don't think there's any meaningful difference between the government and major corporations in the US.

      1. Anonymous Coward
        Anonymous Coward

        Whatever difference there was, it's about fifty years both parties are trying hard to blur it completely. And that's after the Eisenhower warning.

  13. Anonymous Coward
    Big Brother

    Trackers as seen on this page ..

    connect.facebook.net/en_GB/all.js

    nir.regmedia.co.uk/

    platform.twitter.com/widgets.js

    s.dpmsrv.com/dpm

    staticxx.facebook.com/connect/xd_arbiter/

    syndication.twitter.com/i/jot

    www.facebook.com/connect/ping?client_id=682459

    www.google-analytics.com/analytics.js

    www.googletagservices.com/

  14. Jon Smit

    Failbook slurping from Tesco Direct

    There's Failbook scripting running on Tesco's site picking up data on what you buy and logins. It's running if you use Failbook or not. WTF is Tesco getting out it, when they've got complete access to the same data?

    1. Hans Neeson-Bumpsadese Silver badge

      Re: Failbook slurping from Tesco Direct

      I guess that it allows Tesco to target their advertising. Say you only go to Tesco's (or any other store's) website when you want to do some shopping - you're visiting it on their terms. A retailer will want to tell you about stuff which they think will prompt you to start that transaction and maybe buy something extra, say by telling you about some attractive offer. They can promote that offer through any advertising channel, but directing adverts to known customers, e.g. through Facebook, simply means better rate of return on their advertising spend.

  15. Jaap Aap

    Isn't this "facebook platform" the same way profiles get 'hacked'? Someone receives a dodgy url, opens it, and automatically they are 'logged in'.

  16. JohnFen
    Coat

    Well, obviously

    Oh, you meant scum aside from Facebook itself?

  17. tekHedd

    "only a few hundred sites.

    Yes, it's "only" a few hundred sites, like Tealium, which I see blocked by Ghostery on something like EVERY web store I've ever visited. :(

    Disappointed in BH Photo though, they have been good to me otherwise.

    1. Anonymous Coward
      Anonymous Coward

      Disappointed in BH Photo though, they have been good to me otherwise.

      Not that they hadn't other issues:

      https://petapixel.com/2017/08/16/bh-pay-3-22m-settle-lawsuit-filed-dept-labor/

      Great catalog, but what's behind some companies often may be less good...

  18. Anonymous Coward
    Anonymous Coward

    tiqcdn

    What do these tiqcdn/Tealium creeps do? That’s a domain I’m starting to see increasingly often in my NoScript/RequestPolicy menus (naturally, I never allow it to load, of course).

    There are just far too many of these dodgy “analytics” scripts on many websites these days, and I’m pretty sure that, despite their plaintive bleating otherwise, most of them are effectively harvesting personally identifiable profile data, and so therefore I can’t wait for GDPR to come down on them like a tonne of bricks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like