What happened in this case was Facebook’s social login was running on pages that also had other scripts running. These scripts looked for the social login and took that information when it was made available. In Princeton’s study the problem was demonstrated in Facebook’s API in particular, but it’s a security risk posed by social logins generally.

“With social logins being able to bring back information about the users, bringing back a user’s name, email address and other attributes into a page makes that information available to anything else that's running within the page or within the browser. The threat is a user may be visiting a site that they trust, but that site may use multiple third-party trackers as well as the social login,” says Rusty Carter, vice president of product management at cybersecurity firm Arxan Technologies.

While this vulnerability comes at a bad time for Facebook, which currently has its hands full with the Cambridge Analytica scandal, on this occasion the researchers didn’t blame the social network directly. Instead of putting the issue down to a bug in Facebook’s API, the researchers said the problem is a consequence of a lack of security boundaries between the first-party and third-party scripts in today’s web.

Facebook didn’t get off scot-free in the study, however, as the researchers did point out that there are steps Facebook could have taken to prevent abuse. “API use can be audited to review how, where and which parties are accessing social login data,” write the researchers. “Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs.”

Alongside those proposals, the researchers also claim that Facebook should reconsider implementing ’anonymous log in with Facebook’, a feature the social network announced in 2014 but never put in place. That feature would have allowed users to sign into apps without sharing personal information, but Carter isn’t convinced even a solution like that would have solved the problem completely.

“The perception of anonymous is in many cases not true,” says Carter. “I can leave cookies on your browser, I can identify you via IP address, I can connect you from the people that you're friends with; the concept of anonymous in that case is suspect.”

Facebook says it is investigating the issue, and while that investigation is ongoing it will be suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages. “Scraping Facebook user data is in direct violation of our policies,” said a Facebook spokesperson in a statement to Verdict Encrypt. “[We] are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”

In the end, the Princeton researchers identified seven scripts that were capable of pulling information from Facebook’s login API.

The researchers claim that these companies – OnAudience, Lytics, Augur, ProPS, Tealium, Forter and one company they were unable to identify – were collecting data that ranged from users’ IDs to their email addresses and gender. However, the researchers clarified that the company accused of collecting data on gender – OnAudience – stopped collecting this information after the Princeton researchers released the results of a previous study, which showed them abusing browser autofill to collect user email addresses.

While the researchers couldn’t say how these companies used the information they were allegedly collecting, the insinuation is that that because many of the companies “offer some form of ‘customer data platform’” the data could be used “to help publishers to better monetise their users”.

This is a claim denied by the companies we spoke to and heard from. A spokesperson for Tealium told us that it does not use Facebook data in the manner described by the researchers and is currently seeking legal advice.

“Tealium's software is used by companies to manage their own user data, and Tealium itself does not use that data for any purpose and does not buy, share or sell that data. Tealium is a strong advocate of customer data privacy, strong data governance, and transparency,” said a Tealium spokesperson via email.

In an interview with Wired, James McDermott, CEO of Lytics, said that companies like his create software and tracking tools that websites can use to find out information about their customers, but this didn’t extend to sucking information out of Facebook’s API. "In no case have we seen that deployment," McDermott said to Wired.

The simple answer to not getting caught up in the controversy and leaking personal information to third parties would be to avoid using social logins like log in with Facebook.

Anyone who has tried to extricate themselves from the service will know it’s no easy task, but, as Carter points out, when you use a free, social login you are really trading security for convenience.

Instead of maintaining this paradigm, Carter advocates for moving away from the free model, and suggests users use tools like password managers to keep track of their various logins because ultimately the free services are there to profit from users’ data.

“Those services are provided as a convenience to you so those businesses can make money off of knowing where you're logging into,” says Carter. “There's a choice that consumers make, they certainly carry some responsibility for protecting their own information. The choice between using a social login because it's convenient and free, or perceivably free, or paying a small amount for a password manager, that's a very simple way of both having a more secure login and also protecting your information more effectively. There is no free lunch, as the saying goes.”