Many people use the "login with Facebook" feature to sign into different websites. It simplifies the login procedure and means you don't have to remember a whole bunch of new usernames and passwords.
But according to security researchers at Freedom to Tinker, the shortcut might mean users are handing over considerably more information than intended. We first saw the news via TechCrunch.
Trackers embedded on a site's pages can hijack the "login with Facebook" feature to harvest data that you probably didn't intend to give away, including your email address and public profile details such as name, age range, gender, location, and profile photo.
It isn't clear what these trackers do with the information, but the researchers noted that the firms behind the trackers — Lytics and ProPS — all provide audience-monetization services to publishers.
In other words, sites are able to charge advertisers more money because they know more about you.
The researchers found the trackers embedded in 454 of the top 1 million sites, sorted by their Alexa traffic rank, including MongoDB. MongoDB told TechCrunch on Wednesday: "We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down."
Facebook told TechCrunch it was investigating the issue, and didn't immediately respond to a request for further clarification from Business Insider.
The numbers show the data syphoning isn't particularly widespread, but it's yet another example of how difficult it is for users to understand where their Facebook information might be going.
Steven Engelhardt, one of the researchers behind the findings and a privacy engineer at Mozilla, wrote: "This unintended exposure of Facebook data to third parties is not due to a bug in Facebook’s Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today’s web."
But, Engelhardt added, Facebook could do a better job of auditing how third parties use tools like the login service, and stop trackers from scraping more information than necessary.