This news first came to light as part of a report from the Princeton’s Center for Information Technology Policy website, Freedom to Tinker. It highlighted that the vulnerability allowed third parties to piggyback the Facebook login process to scrape usernames, email addresses, age ranges, genders, relative locations, and possibly even profile photos, as per Engadget.
In total the report cited seven different scripts that were collecting user data using the Facebook access system. Those scripts were found in 434 of the top one million websites as ranked by Alexa. Some sites have responded to the news by disabling and removing the offending scripts, though many others are still susceptible to this particular exploit.
“Scraping Facebook user data is in direct violation of our policies,” a Facebook spokesperson said in a statement to Engadget. “While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
The report does suggest, however, that although Facebook could take steps to prevent this exploit from being viable — such as the previously announced anonymous login feature — that this problem was more of an indication of security problems in modern web standards, than Facebook’s own fault.
Although the report authors admit that they don’t know how the scraped data is being used, this comes at a very poor time for Facebook. It is already embroiled in a scandal surrounding the harvesting of user data by companies like Cambridge Analytica, which purportedly used it for politically targeted adverts during a number of electoral campaigns over the past few years. Mark Zuckerberg even had to testify to Congress over the matter.
With the impending implementation of the GDPR, reports like this do little to curb fears of Facebook security and handling of personal data.