Social Login Systems May Share too Much
You thought you heard a click behind that site’s “Sign in with Facebook” button. But did you also hear the inaudible sigh of your personal data disappearing into the maw of yet another application?
Social login is the ability to access a web site or application using an account on a social network. You may have already used it, or at least seen the login buttons as an option on various sites’ sign-in screens. Per my post on back to the future (of federation), today the largest identity networks are the social networks. And unfortunately, they and their sprawling empires of third party applications and advertising affiliates create vulnerabilities for users: See my NEW POST describing Covert Redirects and Perverse Incentives.
According to Janrain’s quarterly numbers and other sources, Facebook Login has almost 50% of the social login “market” and Google Plus (which is growing more rapidly) about 35%. Yahoo, Twitter and LinkedIn also register with smaller slices of the pie. Janrain notes: “Despite the possible perception that this is a two-horse race, it is critical to note the diversity of consumer preferences on different types of sites…We also have observed disparate preferences across geographic regions. For example, Hyves contends with Facebook as the most popular social network in the Netherlands…In Brazil and India, Orkut is a popular identity provider for social login, while in China, Sina Weibo and Renren maintain popularity. Mixi is a common social login choice in Japan, while VK is preferred in Russia.”
As I work on putting the together the slides for our September 10 “Respect Connect: From Social Login to Personal Cloud Login” webinar I’ve been studying Facebook and other implementations closely. It’s somewhat new territory for me, because as a security person I’ve only used these perilous tools of convenience twice:
- LinkedIn to log into ConnectMe: Importing my professional contacts into this reputation service is actually useful!
- Facebook Login (formerly Facebook Connect) for Spotify: If not stopped by changing the default setting, Spotify has the annoying habit of posting every song you listen to on Facebook.
The inaudible sigh (or giant sucking sound) is the whoosh of your social graph going into the data banks of the relying party, such as Spotify. I retested the Facebook-to-Spotify login experience and experienced a gratuitous one click data transfer. No notification of the data whoosh, no opt in process other than the login act itself.
One should, however, give Facebook credit for being open about what it does and for having an opt out process. Midway into the program’s complex privacy preferences under “apps” I found the following screen, which states up front “On Facebook, your name, profile picture, cover photo, gender, networks, username, and user id are always publicly available, including to apps.” The screen clipping below shows my own Spotify configuration on Facebook.