We study inference attacks that can be launched via
the extension API of Facebook. We explain the threat
of these attacks through a reduction to authentication
attacks, devise a taxonomy for such attacks, and propose
a risk metric to help subscribers of third-party
applications refine their privacy expectations.