Online social networks support a vibrant ecosystem of third-party apps that get access to personal information of a large number of users. Despite several recent high-profile incidents, methods to systematically detect data misuse by third-party apps on online social networks are lacking. We propose CanaryTrap to detect misuse of data shared with third-party apps. CanaryTrap associates a honeytoken to a user account and then monitors its unrecognized use via different channels after sharing it with the third-party app. We design and implement CanaryTrap to investigate misuse of data shared with third-party apps on Facebook. Specifically, we share the email address associated with a Facebook account as a honeytoken by installing a third-party app. We then monitor the received emails and use Facebook’s ad transparency tool to detect any unrecognized use of the shared honeytoken. Our deployment of CanaryTrap to monitor 1,024 Facebook apps has uncovered multiple cases of misuse of data shared with third-party apps on Facebook including ransomware, spam, and targeted advertising.
 J. DeBlasio, S. Savage, G. M. Voelker, and A. C. Snoeren. Tripwire: Inferring Internet Site Compromise. In ACM Internet Measurement Conference (IMC), 2017.
 L. DeKoven, T. Pottinger, S. Savage, G. Voelker, and N. Leontiadis. Following Their Footsteps: Characterizing Account Automation Abuse and Defenses. In ACM Internet Measurement Conference (IMC), 2018.
 S. Englehardt, J. Han, and A. Narayanan. I never signed up for this! privacy implications of email tracking. In Privacy Enhancing Technologies (PETS), 2018.
 S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In World Wide Web (WWW), 2015.
 S. Farooqi, F. Zaffar, N. Leontiadis, and Z. Shafiq. Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks. In ACM Internet Measurement Conference (IMC), 2017.
 M. Ghasemisharif, A. Ramesh, S. Checkoway, C. Kanich, and J. Polakis. O single sign-off, where art thou? an empirical analysis of single sign-on account hijacking and session management on the web. In USENIX Security Symposium, 2018.
 R. W. Hamming. Error detecting and error correcting codes,. 1950.
 M. Huber, M. Mulazzani, S. Schrittwieser, and E. Weippl. AppInspect: Large-scale Evaluation of Social Networking Apps. In ACM Conference on Online Social Networks, 2013.
 M. Ikram, L. O. S. Farooqi, E. D. Cristofaro, A. Friedman, G. Jourjon, M. A. Kaafar, and Z. Shafiq. Measuring, characterizing, and detecting Facebook like farms. ACM Transactions on Privacy and Security (TOPS), 20(4):1–28, 2017.
 B. Krishnamurthy, K. Naryshkin, and C. E. Wills. Privacy leakage vs. protection measures: the growing disconnect. In In Web 2.0 Workshop on Security and Privacy, 2011.
 B. Krishnamurthy and C. Wills. On the Leakage of Personally Identifiable Information Via Online Social Networks. In ACM Workshop on Online Social Setworks, 2009.
 D. Perito, C. Castelluccia, M. A. Kaafar, and P. Manils. How Unique and Traceable Are Usernames? In International Symposium on Privacy Enhancing Technologies Symposium (PETS), 2011.
 A. Pitsillidis, K. Levchenko, C. Kreibich, C. Kanich, G. M. Voelker, V. Paxson, N. Weaver, and S. Savage. Botnet Judo: Fighting Spam with Itself. In Network and Distributed System Security Symposium (NDSS), 2010.
 F. Pouget, M. Dacier, and H. Debar. Honeypot, Honeynet, Honeytoken: Terminological issues. Technical Report RR-03-081, Institut Eurecom, 2003.
 A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem, 2018.
 J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. A longitudinal study of pii leaks across android app versions. In Network and Distributed System Security Symposium (NDSS), 2018.
 J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes. Recon: Revealing and controlling pii leaks in mobile network traffic. In ACM Mobile Systems, Applications, and Services (MobiSys), 2016.
 I. Reyes, P. Wijesekera, J. Reardon, A. E. B. On, A. Razaghpanah, N. Vallina-Rodriguez, and S. Egelman. “won’t somebody think of the children?” examining coppa compliance at scale. In Privacy Enhancing Technologies (PETS), 2018.
 Y. Song and U. Hengartner. Privacyguard: A vpn-based platform to detect information leakage on android devices. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, 2015.
 L. Spitzner. Honeypots: Catching the insider threat. In Annual Computer Security Applications Conference (ACSAC), 2003.
 O. Starov, P. Gill, and N. Nikiforakis. Are you sure you want to contact us? quantifying the leakage of pii via website contact forms. In Privacy Enhancing Technologies (PETS), 2016.
 B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2011.
 G. Stringhini, G. Wang, M. Egele, C. Kruegel, G. Vigna, H. Zheng, and B. Y. Zhao. Follow the Green: Growth and Dynamics in Twitter Follower Markets. In ACM Internet Measurement Conference (IMC), 2013.
 G. Venkatadri, A. Andreou, and Y. Liu. Privacy risks with Facebook’s PII-based targeting: Auditing a data broker’s advertising interface. In IEEE Security & Privacy, 2018.
 N. Wang, H. Xu, and J. Grossklags. Third-Party Apps on Facebook: Privacy and the Illusion of Control. In ACM Symposium on Computer Human Interaction for Management of Information Technology, 2011.