• 𝕸𝖔𝖘𝖘@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    2 months ago

    If truly masked, it might be fine. But the site has to gather that data in order to append it to the API call and it, therefore, mean that they could keep it (even of they actually may not). There are ways around it, such as with session tokens passed between the social media’s page and the bank’s official API page. But, knowing fb, they won’t use the latter.

    • InverseParallax@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Obviously not, it’s like Google authentication , you log into a site, doesn’t mean the site can see your Gmail.