This afternoon several colleagues and I have been looking at sites using Facebook to create accounts. The idea is that if you’re already logged into Facebook, it is easy for us to use Facebook as a conduit to create an account for you on our website; reducing the number of usernames and passwords you need to remember, as well as lowering the barrier of entry in getting you to signup to a website.
You’ve probably seen this as “Register with Facebook” or “Login with Facebook” on many sites. Below is a screenshot from Rdio, where you can see the Facebook Register button.
Clicking Register on Rdio.com brings up the following page:
So if you have a facebook account, you can click on Log in to prefill the form below with your profile information.
Clicking on this link brings up this:
Now this gets a bit techie, but stick with me.
The url being linked to from Rdio is the following:
https://www.facebook.com/plugins/registration.php?api_key=100322856680770&channel_url=https%3A%2F%2Fs-static.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D11%23cb%3Df4bd236bc%26origin%3Dhttps%253A%252F%252Fwww.rdio.com%252Ff199c1b3e4%26domain%3Dwww.rdio.com%26relation%3Dparent.parent&client_id=100322856680770&fb_only=false&fb_register=false&fields=%5B%7B%22name%22%3A%22name%22%7D%2C%7B%22name%22%3A%22email%22%7D%2C%7B%22name%22%3A%22gender%22%7D%2C%7B%22name%22%3A%22birthday%22%7D%2C%7B%22name%22%3A%22location%22%7D%2C%7B%22name%22%3A%22username%22%2C%22description%22%3A%22Rdio%20Username%22%2C%22type%22%3A%22text%22%7D%2C%7B%22name%22%3A%22password%22%2C%22no_submit%22%3A%20true%7D%2C%7B%22name%22%3A%22terms%22%2C%22description%22%3A%22I%20agree%20to%20the%20Rdio%20Terms%20of%20Service*%22%2C%22type%22%3A%22checkbox%22%7D%5D&height=448&locale=en_US&onvalidate=facebookValidate&redirect_uri=https%3A%2F%2Fwww.rdio.com%2Ffacebook-signup%2F&sdk=joey&width=532#
What this URL is requesting from Facebook is the following:
- Your full name
- Your email address
- Your gender
- Your birthday
- Your location
That’s alot of information, and we would hope that there is some way to turn off what can be sent back to websites. Facebook permits you to turn off what data is passed through your friends (in Privacy settings, below), but I have not been able to find a way to change what can be directly requested by a website.
The result is, that without controls to change what Facebook can share with other websites, it will return your private data with any website that asks for it. Image below of what get’s returned to Rdio (fake data supplied via my Facebook account).
Update: After reading a blog post by Facebook on registration, the panel below is actually not hosted on Rdio, it’s an iFrame (a partial window) on the Facebook domain. Only when a user clicks Register does your private information get sent from Facebook to the requesting website.
The Create your Rdio account panel – before clicking “Log in to Prefill…” – doesn’t explicitly say what it will request from Facebook. If you read the Privacy policy very carefully, it’s in there, but please – who wades through mounds of legalese? Honestly, I think its about time that sites do the right thing and completely disclose what data they are going to get from Facebook. And Facebook should do the right thing and implement privacy controls – by default opting out user’s details, and allowing them to opt-in and choose what to share.
Rdio is a legit site, and I love it. But there are many sites out there that we visit, and any number of those could have lesser security or the right intentions. Any of these could ask you to sign up with your Facebook account – and what you believe is private in your Facebook account – isn’t.
Sarofax Technical 