“Login with Facebook” Is a Bad Idea

[Reading time – 2 minutes 25 seconds]

There are a growing number of websites that allow users an option to login. You can enter a username and password you created that is unique for that site. Or you can click on a “Login with Facebook” button and enter your Facebook username and password instead. But using “Login with Facebook” is a bad idea.

For some users “Login with Facebook” is a tantalizing choice. Instead of memorizing multiple unique usernames and passwords, your Facebook login credentials can be used instead. In this way “Login with Facebook” acts like a single sign-on (SSO). In addition, this allows you to easily post to Facebook about something that you just read or purchased on that site.

What Personal Information Is Sent From Facebook?

Yet what exactly happens behind the scenes when you “Login with Facebook”? Since it was revealed last month (Mar 2018) that Facebook mishandled user personal information it has faced a firestorm of outrage. Is there any possibility that your personal data on Facebook could likewise be exposed by using “Login with Facebook”?

The unfortunate answer is yes. Using “Login with Facebook” will expose parts of your Facebook data to other parties.

When a website or app installs a “Login with Facebook” link then that site/app can receive back from Facebook your email address and your Facebook “public profile” information. And what is this public profile information? Here is the list:

• id
• age_range
• context
• cover
• currency
• devices
• first_name
• gender
• last_name
• link
• locale
• name
• picture
• timezone
• updated_time
• verified

Even More Personal Information Can Be Shared

But that’s not all. A site/app can also request from Facebook an additional 30 items, including user_birthday, user_friends, user_likes, and user_tagged_places (although Facebook must approve these additional items). You can see a complete list of these additional items at https://developers.facebook.com/docs/facebook-login/permissions Interestingly several other personal items were removed from the list just a few weeks ago (Apr 4 2018); was this a result of the backlash against Facebook and its handling of user data?

And it gets worse.

Security researchers have found that third-party “trackers” embedded on the pages of the a first-party website that uses “Login with Facebook” can steal that Facebook data. And some of these trackers provide “audience-monetization services” to publishers. What does that mean? It means that those behind these trackers sell your Facebook data. And they can charge advertisers higher rates because they know so much about you.

How many of these trackers are out there? The number is relatively small: the researchers found the third-party trackers embedded in only 454 of the top 1 million sites (sorted by their traffic rank). But many of the first-party web sites that were using “Login with Facebook” did not know that third parties were hijacking the Facebook data. One first-party site said to TechCrunch,

We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.

But wait, there’s more.

Hidden third-party trackers can also use “Login with Facebook” to uncover (“deanonymize”) users for more targeted advertising. When we are online we expect a relative high degree of anonymity: nobody really knows who we are. But some third-party trackers are able to get around this by linking related sites back to the Facebook data, revealing who you are and what you are doing.

Bottom Line: Use a password manager

So, using “Login with Facebook” is a bad idea. What should you do instead? Use a password manager to create and store unique passwords for all of your sites. That will help keep your Facebook data on Facebook and out of the hands of others.

The security research on Facebook use of data is at: https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-…