Harnessing Facebook to Reveal the Age Bracket of Website Visitors

Even before a user accepts the installation of a Facebook application, Facebook will send a limited amount of user data to the application’s website in order to help personalize your experience. Unfortunately, this user data includes information that users may not want to share without consent.

Facebook uses OAUTH2.0 as an authentication mechanism for its applications. When a user visits an iframe-based Facebook application (apps.facebook.com/yourapp) prior to installation, a POST request is sent to the third-party website hosting the application with the following data:

The ‘age object’ does not provide access to the specific age of the user, but it does provide a specific bracket. Three brackets are provided:

    13-17 (minage-13 or minage-13 and maxage-17)
    18-21 (minage-18)
    21+ (minage-21)

Typically, such data would be used to ensure certain age-relevant applications are only presented to eligible users. For example, an application related to voting in the United States may only be relevant to users of age 18 and over.

At this time, the application has not yet been approved for installation. Only after this information is sent to the third-party website does the application normally present the familiar request for permission dialog:


Furthermore, the user isn't even required to click on a link to install a Facebook application. Instead, upon visiting a third-party website, the third-party website can surreptitiously load a dummy Facebook application (e.g., in an iframe, which could be hidden or be a placeholder for an advertisement) that receives the age bracket data automatically. After receiving the data, the rest of the transaction can be simply aborted by the website, without even attempting to load the Facebook application. Additionally, the third-party website is now in possession of the age bracket information and can then display a targeted advertisement via the iframe or through a number of other means, such as dropping a cookie.

1.    User navigates to a shopping website.
2.    The shopping website has an iframe that points to apps.facebook.com/age-check-service, the dummy Facebook Application.
3.    Facebook sends the minimum age, maximum age, country, and locale information to age-check-service.biz—the domain hosting this Facebook Application.
4.    The Facebook Application can now serve targeted content such as a banner ad on the shopping website.

If the user is not logged into Facebook, then the data will contain the correct Locale and Country information but the age will be set to ‘minimum age = 0’. In this situation, you cannot derive the age.

While this data is not personally identifiable information, those users with sensitive privacy concerns may not be aware their age bracket is being sent to third parties without explicit consent. No Facebook privacy settings are available to disable this feature. To prevent this behavior, one must be signed out of Facebook when visiting third-party sites. Be aware that if you are signed into Facebook—prior to the installation of applications—your age bracket, country, and locale information will be leaked.

To read about Facebook’s policies, please visit https://www.facebook.com/policy.php and https://developers.facebook.com/policy/.

Note: “Age-checking-service” is a fictitious name and used here for illustrative purposes only.