A team comprising of Pakistani researchers from the University of Iowa and Lahore University of Management and Sciences (LUMS) has uncovered 16 Facebook apps that are secretly sharing user data with third-parties.
Now, this probably doesn’t come across as a surprise. After all, we are all aware of the simple fact that there are hundreds of thousands of apps on Facebook with access to billions of user accounts and their associated data. Without a shade of doubt, as soon as we make a Facebook account, our data becomes available to a horde of advertisers and other third-parties.
However, it is next to impossible to detect data misuse by these apps, since their data is stored in servers that are usually beyond the reach of Facebook itself. This is where the significance of this research effort comes in, as it managed to unearth something that is normally elusive to everyone: solid proof that a set of apps is sharing our data with third-parties in secret.
Using an ingenious technique called CanaryTrap along with Facebook’s ad transparency tool, the research team used “honeytoken” emails to install Facebook apps and observe if the inboxes received any suspicious emails from unknown sources. For context, honeytokens are fictional data or files that allow IT experts to track data and malicious activity.
The study tested a total of 1,024 third-party Facebook apps out of which 16 were caught red-handed in the act of sharing user data with third-parties. While the apps confessed that data was usually shared with an unrelated affiliate website or business partner, what was truly concerning was the nature of some of the emails that they sent to the researchers’ inboxes. The emails ranged from sextortion threats to various kinds of email spam.
The study team comprises of lead author Shehroze Farooqi, a PhD student at the University of Iowa, along with Zubair Shafiq, Maaz Musa, and Fareed Zaffar.
“Our study discovers the misuse of user data shared with third-party apps on Facebook since we only implement CanaryTrap for Facebook,” Shehroze stated. “It is possible that the potential misuse of user data is happening on other platforms like Twitter and Instagram as well as various Google products (such as Gmail and GSuite marketplace).”