Skip to main content

There's a Big Problem with 'Log In With Facebook'

Facebook is investigating a report that suggests its Log In With Facebook feature on a variety of websites across the Internet could have allowed for the collection of personally identifiable information.

Credit: Pixinoo/Shutterstock

(Image credit: Pixinoo/Shutterstock)


According to a report from Steven Englehardt at Freedom to Tinker, a Princeton Center For Information Technology Policy organization, JavaScript trackers that are embedded in websites that use the Log In With Facebook feature have the ability to collect a person's name, email address, gender, location, profile photo, and approximate age. According to Englehardt, whose study was earlier reported on by TechCrunch, 434 of the top 1 million websites had the JavaScript code running.

That said, few of those websites are those you've ever really heard of. And being in the top 1 million of the world's most popular sites doesn't necessarily mean that traffic is overwhelming.

MORE: How to Stop Facebook From Sharing Your Data

Log In With Facebook is a feature that allows users to sign in to a service or app with their Facebook credentials rather than be forced to create all-new credentials for the respective site. It cuts down on the number of usernames and passwords users need to keep.

To be clear, those JavaScript trackers are third-party services. So, the user information being collected is unwittingly being shared with third-parties that for one reason or another have JavaScript running on a website.

"When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site," the researchers wrote in their report.

They added, however, that the problem isn't necessarily one with Facebook. Instead, they believe that it sheds light on "the lack of security boundaries between the first-party and third-party scripts in today's Web."

In a statement to TechCrunch, Facebook confirmed that any service "scraping Facebook user data is in direct violation" of the company's policies. Facebook said that it's investigating the matter, but has also turned off a feature that linked a person's unique user id in applications to their Facebook profile pages.

Facebook added that it's examining whether to include "additional authentication" with its Log In With Facebook feature.