The Facebook Login feature is being used by third parties to surreptitiously track users, security researchers have warned.
That's according to Steven Englehardt, Gunes Acar and Arvind Narayanan of the Freedom To Tinker blog, hosted by Princeton University's Center For Information Technology Policy.
Such trackers are provided by firms not linked to Facebook or even the websites using them. The researchers found that seven of the trackers they examined abuse a website's access to Facebook data, while one third-party tool uses its own Facebook 'app' to track users across the web.
The researchers couldn't say for sure what the third-party trackers were doing with the data, but they suspected it was being monetised for advertising purposes, given the trackers' parent companies offer publisher monetisation services fuelled by user data.
"Hidden third-party trackers can also use Facebook Login to de-anonymise users for targeted advertising. This is a privacy violation, as it is unexpected and users are unaware of it," they said.
The use of the Facebook Login API is not uncommon and has become a widely used authentication tool on many websites.
However, the use of hidden trackers is a problem, not just due to their clandestine nature, but also due to the fact that visitors not only need to trust the website they visit to not abuse their data but also need to have faith in third-party tools on the site.
While some people might shrug at the idea of their data being used for targeted advertising, as that's now commonplace on the web, there's potential for malicious trackers to siphon Facebook data and allow less than scrupulous third-parties to abuse it.
The researchers noted that - for a change - Facebook was not directly to blame for the privacy shortcoming.
"This unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," the researchers explained.
"Still, there are steps Facebook and other social login providers can take to prevent abuse: API use can be audited to review how, where, and which parties are accessing social login data.
"Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago."
V3 has contacted Facebook for comment, but it has yet to respond.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance