• ᗪᗩᗰᑎ@lemmy.ml
    link
    fedilink
    arrow-up
    144
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.

    Anyone have any links/sources?

    EDIT:

    Found the source post: https://mastodon.social/@protonmail/111699323585240444

    and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      160
      arrow-down
      2
      ·
      edit-2
      11 months ago

      TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.

      I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.

      It links to another Gizmodo article about it, buried deep in ONE paragraph.

      The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.

      When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

      This paragraph from the article links to this article in question:

      https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690

      This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:

      https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

      He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.

      Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.

      • RaoulDook@lemmy.world
        link
        fedilink
        English
        arrow-up
        45
        arrow-down
        1
        ·
        11 months ago

        That lines up with everything I’ve read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with “Whatabout America spying?” posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.

        • oce 🐆@jlai.lu
          link
          fedilink
          arrow-up
          12
          ·
          edit-2
          11 months ago

          I’m always thinking about Chinese intellegency agency thinking 10 years ago: “How can we create a spyware that everyone will use so we can collect all the data we want without too much troubles?”. Then they looked at Facebook doing the same for profit and they understood that all they have to do is to create a well designed social media app and make it so trendy that people will be diverted enough to not think about the spying issue. And then they fucking nailed it, it worked so well, I’m impressed. The average people do happily through away their private life for a shot of well crafted trendy entertainment everyday. All the revelations about spying didn’t stop the growth one bit.

        • pop@lemmy.ml
          link
          fedilink
          arrow-up
          8
          ·
          edit-2
          11 months ago

          Whatabout America spying?

          nobody’s trying to normalize that. Just calling out the blatant hypocrisy. These social media companies started in US long ago and it has more data than you can possibly imagine, People suddenly mad when a foreign company starts doing something nefarious is on brand for people who want to point fingers at everyone else but themselves.

          Facebook started when https was very rare, browsers sent login authentication in plain text, internet explorer was still popular and they probably exploited way more vulnerabilities that Tiktok ever did. Facebook, Google, Twitter tracked users through share buttons on websites. Everyone installed multiple Internet explorer addons with nefarious permissions, malicious code without a single thought. Their owners are billionaires now, exploiting, tracking and selling your data to whoever pays best. It was all common knowledge.

          Where were these concerns for a decade before tiktok even was a thought. If social media companies were held responsible for privacy of the users, when Facebook, twitter were gaining hold, Tiktok wouldn’t even be able to follow on their footsteps.

          I don’t use Facebook anymore and never have used tiktok, but fuck all concern trolling once someone other takes your cake. You reap what you sow.

          Stay mad tho

          • U de Recife@literature.cafe
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            You make a good point worth considering. For all non-USians/non-Chinese out there, all those social media giants are foreign corporations belonging to foreign powers.

            The spying part of it is bad for the spying, not for who’s doing it.

      • Zeroc00l@sh.itjust.works
        link
        fedilink
        arrow-up
        16
        ·
        11 months ago

        I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.

        I guess they mean all the tech companies try to block each other so that they collect all the data themselves…

    • Shirasho@lemmings.world
      link
      fedilink
      arrow-up
      6
      ·
      11 months ago

      I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.

  • Luci@lemmy.ca
    link
    fedilink
    English
    arrow-up
    63
    arrow-down
    7
    ·
    edit-2
    11 months ago

    Some people in this thread are claiming the article doesn’t mention Facebook.

    I actually read the article. You’re welcome.

    When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

    Edit: The article Proton got their info from.

      • Poggervania@kbin.social
        link
        fedilink
        arrow-up
        15
        arrow-down
        8
        ·
        edit-2
        11 months ago

        But I want to outrage at sensationalized headlines and tweets :( How can I do that if I actually read the articles?

      • ChicoSuave@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        9
        ·
        11 months ago

        It’s weird how ardently you defend Facebook. This post and one earlier where you insinuated Proton Mail is liable for libel is something a Meta employee would say to dissuade this kind of thinking. But the fact is the researcher, Kraus, confirmed that the logging script is present. Meta maliciously spies.

        • Cris@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          11 months ago

          I just went looking for what you were talking about cause I was curious to know more, and from what I can tell, saying “Kraus confirmed the logging script is present” is a bit misleading- it implies that the logging script that logs keystrokes is present. Its possible I missed something but from what I could find, it looks like what he confirmed is that meta tracks interaction with the elements of pages, like selecting a text box, tapping/clicking on buttons, etc., but I didn’t see anything about keylogging. Thats still super creepy, and is obviously bad, but it doesn’t seem like the person you’re responding to is wrong to say that the findings of the security researcher have been misinterpreted here. And you’re not wrong that they’re absolutely maliciously spying (of course they are, maliciously spying, contributing to genocide in developing countries, and negatively manipulating peoples mental health for profit are meta’s bread and butter! 😀) but I do think it pays to be accurate when we criticize things, and to not mislead people.

          But if we wanna criticize meta, may I interest you in: facilitating a horrifying genocide resulting in massive loss of life in Myanmar?

          https://erinkissane.com/meta-in-myanmar-full-series

          Edit: clarified a point, also added the link cause I needed to go find it

  • DingoBilly@lemmy.world
    link
    fedilink
    arrow-up
    55
    arrow-down
    12
    ·
    11 months ago

    Don’t let your bias against Meta overcome critical thinking skills.

    As others have mentioned this is just incorrect. I’m no fan of Meta but you are a moron if you think this is happening.

    • CO_Chewie@sh.itjust.works
      link
      fedilink
      arrow-up
      17
      ·
      11 months ago

      Given this is the top comment it should be pointed out that while Proton was incorrect about this being Meta there is research out about TikTok doing this very thing.

      The way you’ve worded your comment makes it seem like this either can’t happen or isn’t happening and that simply isn’t the case.

      • TheAnonymouseJoker@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        11 months ago

        I personally do not think I should care about the xenophobic witch hunting of Chinese companies like TikTok and Huawei, even though US feds have never presented any evidence against Huawei, and we know how fair the Congressional hearings were for TikTok.

        While TikTok collects basic data, it never forces you to login other than for commenting (for obvious reasons) and similarly personal things, unlike Instagram. If you open an IG link in web browser, you cannot replay the video second time, and if you scroll the account’s posted images and videos, you will not be able to flick through a second time. And it is fair enough to see Western governments’ beloved support for the genocide of Palestinians (unlike the fake Uyghur narrative) and the ousting of Muslims from top positions across all of Western media, there exist open and transparent political and critical reasons to avoid Western media over non-Western media.

        TikTok’s data collection is transparently compared to other social media outlets here (not going to trust fancy tech outlets or CNN/Fox). Tiktok is not even in the ballpark, simply by not needing an account or app to use it.

        https://clario.co/blog/which-company-uses-most-data/

        https://www.truepeoplesearch.com/insights/info-tech-companies-collecting-from-you

    • scarilog@lemmy.world
      link
      fedilink
      arrow-up
      10
      arrow-down
      5
      ·
      11 months ago

      Maybe not keylogging but it’s pretty fucking bad still, it tracks basically everything else about how you navigate when using the integrated browser.

    • Bizarroland@kbin.social
      link
      fedilink
      arrow-up
      14
      arrow-down
      3
      ·
      11 months ago

      Not so simple solution, because other people are using meta products and using them on you without telling you about it.

      Use firefox, and install the Facebook container extension so that meta cannot read your data on the internet.

      • IdiosyncraticIdiot@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        11 months ago

        Although i still disagree with using facebook at all, and sorta unsure what you mean by “because other people are using meta products and using them on you without telling you about it” (websites using meta based SaaS products maybe), if the facebook container extension is anything like the aws container extension, I bet it’s a pretty good recommendation. Firefox ALWAYS the best recommendation

      • reev@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        edit-2
        11 months ago

        Are they still a victim if they’ve been yelled at for close to a decade that these kinds of things are the standard for Facebook/Meta? I’ve tried telling friends and family so damn often but they just don’t care.

        It’s like giving someone you pass on the street your ID, walking away and thinking “man, I can’t believe that guy has my ID”. I’m with you if they really don’t know, I’m sure many don’t. But so many know fully well and just don’t care.

        If you ask me both are to blame. Meta is only in a position where they get away with this stuff because people are practically encouraging it.

        • lseif@sopuli.xyz
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          11 months ago

          of course there is nuance. you are correct that both are to blame, but many people need to use facebook for family, friends, or work. it sucks that we as a society are so reliant on these companies, but thats how it is.

          just saying ‘dont use facebook’ is useless. we can advocate for changes at the same time as encouraging people to alternatives. its the same argument with windows/linux.

          • Cringe2793@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            11 months ago

            I mean, it’s not that hard to just don’t. If anyone asks, just say I don’t use Facebook. And if they bitch, then so be it.

            If they share you Facebook links, click it if you must, but don’t log in. If you can’t watch the video because you don’t log in, then too bad.

            If it’s for work, then create a work account if absolutely necessary, but don’t use it for your personal shit.

            It’s really that easy.

      • Mango@lemmy.world
        link
        fedilink
        arrow-up
        8
        arrow-down
        5
        ·
        edit-2
        11 months ago

        Are you a victim when you walk into the BDSM club, sign the waivers, call safe words a conspiracy, and cry rape afterwards?

        Edit: How about if you go back in after that?

      • oce 🐆@jlai.lu
        link
        fedilink
        arrow-up
        3
        arrow-down
        6
        ·
        11 months ago

        There is information available to make an informed choice, but they don’t. Is there really no guilt?

    • Ferris@infosec.pub
      link
      fedilink
      arrow-up
      1
      ·
      11 months ago

      ‘foresight’ is a gift provided to some folks who conceive things a little outside the norm, i suppose.

  • dez@lemmy.ml
    link
    fedilink
    arrow-up
    33
    arrow-down
    1
    ·
    11 months ago

    My main goal on year 2018 was delete facebook. Unfortunately im still using whatsapp just because everyone uses it and i have no other place to talk with my friends and family.

      • Gabu@lemmy.ml
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        11 months ago

        Not popular enough. With Whatsapp you get to talk to pretty much everyone, from businesses to second hand sellers to your weird aunt that lives in the middle of the woods.

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      27
      ·
      11 months ago

      SMS is still a thing. You need to put your foot down to make it happen.

          • Darken@reddthat.com
            link
            fedilink
            arrow-up
            5
            arrow-down
            1
            ·
            11 months ago

            Not really, sms is barely noticed here, you must use WhatsApp messaging otherwise they will wait a Whatsapp call or a phone call

            • Kecessa@sh.itjust.works
              link
              fedilink
              arrow-up
              8
              arrow-down
              6
              ·
              11 months ago

              Social drawback? WTF? People already have the app necessary on their phone and they must get SMS for other things, no?

              • OnToTheFuture@thelemmy.club
                link
                fedilink
                arrow-up
                6
                arrow-down
                1
                ·
                edit-2
                11 months ago

                Not every country has unlimited talk and text as a widely as others. I know my husband’s family uses what’s app because they can always hop on their WiFi or a neighbors and talk to family, but they can’t always afford to top up their minutes. The social drawback isn’t that they’ll look at you funny, it’s that they might literally not be able to communicate with you.

                Add in that some of those families also play hot potato with phones, swapping who has what phone almost weekly, something that follows the login and not the phone starts to make sense. I know there are better alternatives to what’s app and don’t defend it, but getting them as a whole to change apps so they can all communicate would mean a lot of work and energy I can say they don’t have these days.

              • TWeaK@lemm.ee
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                2
                ·
                11 months ago

                Probably referring to group chats and sharing media.

                My point is you need to put your foot down and say “I won’t use WhatsApp. If you want that functionality with me, we can use Signal, but otherwise SMS.”

                WhatsApp really doesn’t have any features that aren’t also in Signal, but Signal isn’t owned by Facebook and was never a vector for zero-click access to your device (NSO’s Pegasus toolkit used WhatsApp calls to get at Android phones, this was involved with Saudi Arabia’s execution of Jamal Khashoggi). WhatsApp is simply not trustworthy, and a massive security risk.

            • terminhell@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              3
              arrow-down
              3
              ·
              11 months ago

              Is it worth having your credentials sold or stolen cuz people might think less of how they receive the same message in text form from you?

  • ipkpjersi@lemmy.ml
    link
    fedilink
    arrow-up
    30
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Holy shit, that should be illegal. I say should because I know there’s no way that it currently is.

  • cayslaconic0j@lemmy.ml
    link
    fedilink
    arrow-up
    19
    ·
    11 months ago

    I use all social media in browser to give them less access to my device. I clear cache / cookies after use every time. Hopefully that gives them far less personal data.

  • TheAnonymouseJoker@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    11 months ago

    Just block off *.facebook.com in uBlock Origin rules on Firefox (not possible on Chrome) or in system HOSTS ruleset. Leave out the fbcdn.net domain as it only acts as a CDN for videos and images.

  • mctoasterson@reddthat.com
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    11 months ago

    This is especially nefarious paired with their other practices. Many phones stock ROMs also ship with preinstalled bloatware including TikTok and Facebook crap.

    I had to use Android developer tools (ADB powershell commands) to remove multiple facebook and tiktok packages from a friends new phone because they can’t be removed any other way. There was no “user visible” FB app but several packages were present and makes me think FB crap may run as “background” by default on several vendors stock ROMs. Irritating and deceiving to the consumer.

    I also blacklist all their domains using PiHole so nothing on my home network can covertly back channel any data to their mothership. (Currently using Developer Dan’s lists from GitHub - the Facebook list alone has almost 30,000 hosts on it)

    These big tech surveillance bros can get clapped.