Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account.
At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites.
The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated email.
The sending of those notifications will be triggered every time a user (or attacker):
- Logs into a third-party app with Facebook Login and grants the app access to their information
- Re-uses Facebook Login to log into a third-party app after an app’s access to information has expired.
As you can see in the image above, each notification will include a list of the information the app/website pulls from the Facebook account to personalize the user’s experience, as well as offer a direct link to Facebook Settings > Apps and Websites, so users can limit the information shared with the app/service or remove the app altogether.
“The design and content of the Login Notifications remind users that they have full control over the information they share with 3rd party apps, with a clear path to edit those settings,” Puxuan Qi, a software engineer at Facebook, explained.
“We will continue to test additional user control features in early 2020, including bringing permissions to the forefront of the user experience when logging into a 3rd party app with Facebook Login.”
This new feature is part of Facebook’s broader attempt to show they care about user privacy and minimize the fallout of incidents such as the massive 2018 Facebook data breach (when attackers managed to steal access tokens of at least 50 million users, potentially allowing them to take over victims’ Facebook accounts and log into accounts the victims opened on third-party websites and apps by using Facebook Login) and the Cambridge Analytica scandal (CA used information collected through third-party apps without users agreeing to their data being used to fuel election campaigns or even knowing about it).