facebookincubator / Facebook-Pixel-for-Wordpress

A plugin for advertisers who use Wordpress to enable them easily setup the facebook pixel.
GNU General Public License v2.0
37 stars 34 forks source link

Private details revealed in HTML source #30

Open daamsie opened 2 years ago

daamsie commented 2 years ago

This was raised in a previous topic with a lack of resolution (but closed nonetheless).

The FB pixel rendered out in source looks like this:

<!-- End Facebook Pixel Code -->
<script type='text/javascript'>
  fbq('init', '<PIXEL_ID', {
    "em": "<EMAIL>",
    "fn": "<FIRSTNAME>",
    "ln": "<SURNAME>"
}, {
    "agent": "wordpress-5.8.3-3.0.6"
});
</script>

The email in question belongs to the user who is logged in. Harmless I hear you say because they already know their own email address.

However, a malicious browser extension could very easily harvest email addresses and the user’s private data this way.

Say I created a handy extension called “Tracking Pixel Detector” or some such that users could install to keep an eye on tracking pixels. Every site they visit where they are logged in will reveal their email address to the extension.

Please address this potential security hole by ensuring email addresses are NEVER displayed in the source code.