The Facebook Login feature is being used by third parties to surreptitiously track users, security researchers have warned.
That's according to Steven Englehardt, Gunes Acar and Arvind Narayanan of the Freedom To Tinker blog, hosted by Princeton University's Center For Information Technology Policy.
Such trackers are provided by firms not linked to Facebook or even the websites using them. The researchers found that seven of the trackers they examined abuse a website's access to Facebook data, while one third-party tool uses its own Facebook 'app' to track users across the web.
The researchers couldn't say for sure what the third-party trackers were doing with the data, but they suspected it was being monetised for advertising purposes, given the trackers' parent companies offer publisher monetisation services fuelled by user data.
"Hidden third-party trackers can also use Facebook Login to de-anonymise users for targeted advertising. This is a privacy violation, as it is unexpected and users are unaware of it," they said.
The use of the Facebook Login API is not uncommon and has become a widely used authentication tool on many websites.
However, the use of hidden trackers is a problem, not just due to their clandestine nature, but also due to the fact that visitors not only need to trust the website they visit to not abuse their data but also need to have faith in third-party tools on the site.
While some people might shrug at the idea of their data being used for targeted advertising, as that's now commonplace on the web, there's potential for malicious trackers to siphon Facebook data and allow less than scrupulous third-parties to abuse it.
The researchers noted that - for a change - Facebook was not directly to blame for the privacy shortcoming.
"This unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," the researchers explained.
"Still, there are steps Facebook and other social login providers can take to prevent abuse: API use can be audited to review how, where, and which parties are accessing social login data.
"Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago."
V3 has contacted Facebook for comment, but it has yet to respond.
RTX 280 Ti will come with 11GB of fast GDDR6 video RAM with a 352-bit memory bus offering 616Gbps
The scale of jobs lost to automation will be at least as large as those in the first three industrial revolutions
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC