I'm curious to see what FB does to mitigate this sort of data grab in the future. Is there anything stopping them from creating a walled garden around user data? For instance, they could enforce that any code with access to user PII has to be run on their servers, and all results can only display aggregate data? It still can be manipulated, but it seems like it would be harder
FB would have to not give personally identifying info (PII) to the app in the first place. The main reason apps (from a user's perspective) need PII are 1) Display it to you or someone else in the app, or 2) perform a calculation or action on it (e.g. send a text to a phone number, or display an add to women age 20-28). If all I have is a user ID, FB can make it possible to do both without ever access PII.
For #1: PII could be embedded using an iframe and a url. You could even pass data (such as templates) in with url params
For #2: FB would expose endpoints that allow actions (such as send this email to the user). They could make it as generic as they needed, up to running arbitrary code on a VM, minus networking calls.
Facebook without PII is worthless. All that security is irrelevant when you can just bypass it all through the analogue hole. Chrome Headless just makes it easier.
