JavaScript trackers crawl user data, Facebook launches investigation

A security report believes that someone has inserted a third-party JavaScript tracker into a website that uses “Login With Facebook” to capture Facebook user personal data, and Facebook confirmed to the media that it is investigating what the report says.

The tracker can collect some of the user’s data, including name, email address, age range, gender, location, photos, etc., depending on what information the user provides to the site. What exactly do these trackers do with data? It is not clear that what is currently known is that many tracker owners use the collected user data to provide profitable services, such as Tealium, AudienceStream, Lytics, and ProPS.

The report comes from Freedom To Tinker, which is affiliated with the Princeton’s Center for Information Technology Policy. The researchers aimed at nearly 1 million websites and found that 434 websites misused scripts such as Freer.com, a freelance website, B&H Photo And Video, a camera sales website, and MongoDB, a cloud data provider.

The survey found that the concert site BandsInTown sent Login With Facebook user data to website embedded scripts, which installed Amplified advertising programs. The hidden BandsInTown inline framework loads on the site extract user data and then can access embedded scripts. In this way, malicious websites can use BandsInTown to understand the identity of visitors. Although aware of the vulnerability, BandsInTown did not repair it.

Facebook has not issued an official statement to respond to this matter, it just told TechCrunch: “We will look into this and get back to you.”

Researchers extracted 50,000 websites from Alexa’s top 1 million websites for analysis in January 2017 and reached the above conclusions. Including all the top 15,000 websites, 15,000 websites were randomly selected from 150,000-100,000 websites, and 20,000 websites were randomly selected from 1-10 million websites, totaling 50,000.

Source: TechCrunch

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.