If you care about user privacy, do NOT use Facebook JS SDK

sonnk

Nguyen Kim Son

Posted on November 3, 2019

If you care about user privacy, do NOT use Facebook JS SDK

Social Login buttons like the ubiquitous Login with Facebook/Google/Twitter/... button is convenient for users as they don't have to go through a lengthy registration process and create yet another username/password. And without a proper password manager (which probably 99% users don't use), they tend to reuse the same password which is bad in terms of security!

However behind the scene, some SDKs (I'm looking at you Facebook!) inject an iframe in your website to display the Continue as {MyName} or Login with Facebook button. Loading this iframe allows Facebook to know that this specific user is currently on your website. Facebook therefore knows about user browsing behaviour without user's explicit consent. If more and more websites adopt Facebook SDK then Facebook would potentially have user's full browsing history! And as in "With great power comes great responsibility", it's part of our job as developers to protect users privacy even when they don't ask for.

Loading this iframe allows Facebook to know that this specific user is currently on your website

Alt Text

The iframe is actually injected in a second script loaded by the https://connect.facebook.net/en_US/sdk.js:

Alt Text

So what should we do to provide this Login with Facebook button to our users? The good news is this is actually easy as Facebook implements OAuth2/OpenID standard so you can use any OAuth2/OpenID library to add the Facebook login button. You can also add other login providers like Google, Github, Apple ... at the same time as those are also OAuth2/OpenID-compliant.

Here are some ressources to implement OAuth2/OpenID in your app for different languages/frameworks:

If you happen to use Flask (Python), I have written an article on dev.to on how to implement OAuth2/OpenID into a Flask application: https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m

If you really need Facebook SDK, please ask user consent before loading the SDK or only load the SDK when user clicks on the Login with Facebook button.

Update 1: turns out that Google also uses this practice, more info can be found on https://news.ycombinator.com/item?id=21429482

💖 💪 🙅 🚩
sonnk
Nguyen Kim Son

Posted on November 3, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related