when i use OAuth with facebook (or google etc.), as the authorization server, the authorization server will get some data about the application/client (requesting the authorizaton). Therefore, the authorization server (e.g. facebook) now knows that i use that application. Isnt that a privacy issue? Shouldnt the OAuth authorization servers have a privacy statement (/somewhere in their privacy statement) about how they use the information (about the applications i use)? Or do they not permanently store information about authorization requests through OAuth?
Asked
Active
Viewed 42 times
1 Answers
0
Yes, this is indeed a data leak, and Facebook in particular abuses it extensively. I tested this: I signed up for a web site about something entirely outside my usual interests using "Sign up with Facebook", and then did not browse the site (i.e. the login was the only info they had). Within a day, I started getting ads in my Facebook feed about that subject.
There is no way to be sure that three-legged OAuth (which is what "social logins" are) does not leak data. Policies provide some assurance, but there is such a long history of abuse by the popular providers that they can't be trusted, no matter what they say. There is only one solution to this: don't use it. It's got to the point where I actively avoid sites that even offer it because it means that the site itself doesn't understand privacy sufficiently to realise what they're doing. In GDPR audits, I flag this as a potential privacy exposure.
It also doesn't help that OAuth is deeply unpleasant to work with as a developer too, and incredibly easy to get wrong. Id & pass with 2FA is my preferred auth method.
Synchro
- 35,538
- 15
- 81
- 104