• ᗪᗩᗰᑎ@lemmy.ml
    link
    fedilink
    arrow-up
    189
    arrow-down
    2
    ·
    edit-2
    10 months ago

    Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.

    Anyone have any links/sources?

    EDIT:

    Found the source post: https://mastodon.social/@protonmail/111699323585240444

    and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      209
      arrow-down
      6
      ·
      edit-2
      10 months ago

      TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.

      I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.

      It links to another Gizmodo article about it, buried deep in ONE paragraph.

      The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.

      When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

      This paragraph from the article links to this article in question:

      https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690

      This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:

      https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

      He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.

      Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.

      • RaoulDook@lemmy.world
        link
        fedilink
        English
        arrow-up
        69
        arrow-down
        5
        ·
        10 months ago

        That lines up with everything I’ve read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with “Whatabout America spying?” posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.

        • oce 🐆@jlai.lu
          link
          fedilink
          arrow-up
          26
          arrow-down
          3
          ·
          edit-2
          10 months ago

          I’m always thinking about Chinese intellegency agency thinking 10 years ago: “How can we create a spyware that everyone will use so we can collect all the data we want without too much troubles?”. Then they looked at Facebook doing the same for profit and they understood that all they have to do is to create a well designed social media app and make it so trendy that people will be diverted enough to not think about the spying issue. And then they fucking nailed it, it worked so well, I’m impressed. The average people do happily through away their private life for a shot of well crafted trendy entertainment everyday. All the revelations about spying didn’t stop the growth one bit.

        • pop@lemmy.ml
          link
          fedilink
          arrow-up
          19
          arrow-down
          9
          ·
          edit-2
          10 months ago

          Whatabout America spying?

          nobody’s trying to normalize that. Just calling out the blatant hypocrisy. These social media companies started in US long ago and it has more data than you can possibly imagine, People suddenly mad when a foreign company starts doing something nefarious is on brand for people who want to point fingers at everyone else but themselves.

          Facebook started when https was very rare, browsers sent login authentication in plain text, internet explorer was still popular and they probably exploited way more vulnerabilities that Tiktok ever did. Facebook, Google, Twitter tracked users through share buttons on websites. Everyone installed multiple Internet explorer addons with nefarious permissions, malicious code without a single thought. Their owners are billionaires now, exploiting, tracking and selling your data to whoever pays best. It was all common knowledge.

          Where were these concerns for a decade before tiktok even was a thought. If social media companies were held responsible for privacy of the users, when Facebook, twitter were gaining hold, Tiktok wouldn’t even be able to follow on their footsteps.

          I don’t use Facebook anymore and never have used tiktok, but fuck all concern trolling once someone other takes your cake. You reap what you sow.

          Stay mad tho

          • U de Recife@literature.cafe
            link
            fedilink
            arrow-up
            5
            ·
            10 months ago

            You make a good point worth considering. For all non-USians/non-Chinese out there, all those social media giants are foreign corporations belonging to foreign powers.

            The spying part of it is bad for the spying, not for who’s doing it.

          • RaoulDook@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            10 months ago

            What the fuck are you talking about “Stay mad tho” ? It sounds like you agreed with what I said mostly. This shit is all bad, and that was my point.

      • Zeroc00l@sh.itjust.works
        link
        fedilink
        arrow-up
        20
        ·
        10 months ago

        I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.

        I guess they mean all the tech companies try to block each other so that they collect all the data themselves…

    • Shirasho@lemmings.world
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      10 months ago

      I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.

  • Luci@lemmy.ca
    link
    fedilink
    English
    arrow-up
    84
    arrow-down
    7
    ·
    edit-2
    10 months ago

    Some people in this thread are claiming the article doesn’t mention Facebook.

    I actually read the article. You’re welcome.

    When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

    Edit: The article Proton got their info from.

      • Poggervania@kbin.social
        link
        fedilink
        arrow-up
        19
        arrow-down
        9
        ·
        edit-2
        10 months ago

        But I want to outrage at sensationalized headlines and tweets :( How can I do that if I actually read the articles?

      • ChicoSuave@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        11
        ·
        10 months ago

        It’s weird how ardently you defend Facebook. This post and one earlier where you insinuated Proton Mail is liable for libel is something a Meta employee would say to dissuade this kind of thinking. But the fact is the researcher, Kraus, confirmed that the logging script is present. Meta maliciously spies.

        • Cris@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          10 months ago

          I just went looking for what you were talking about cause I was curious to know more, and from what I can tell, saying “Kraus confirmed the logging script is present” is a bit misleading- it implies that the logging script that logs keystrokes is present. Its possible I missed something but from what I could find, it looks like what he confirmed is that meta tracks interaction with the elements of pages, like selecting a text box, tapping/clicking on buttons, etc., but I didn’t see anything about keylogging. Thats still super creepy, and is obviously bad, but it doesn’t seem like the person you’re responding to is wrong to say that the findings of the security researcher have been misinterpreted here. And you’re not wrong that they’re absolutely maliciously spying (of course they are, maliciously spying, contributing to genocide in developing countries, and negatively manipulating peoples mental health for profit are meta’s bread and butter! 😀) but I do think it pays to be accurate when we criticize things, and to not mislead people.

          But if we wanna criticize meta, may I interest you in: facilitating a horrifying genocide resulting in massive loss of life in Myanmar?

          https://erinkissane.com/meta-in-myanmar-full-series

          Edit: clarified a point, also added the link cause I needed to go find it

        • Jako301@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          While they log a lot of things like all clicks made on the site and what elements you focus on, there was no keylogger script found in metas apps as of now.

          Don’t get me wrong, that’s still a shitty thing to do, but it’s nowhere on the same level as a keylogger that even reads your passwords. If Meta wants to this can easily end in a defamation case against proton.

  • BargsimBoyz@lemmy.world
    link
    fedilink
    arrow-up
    109
    arrow-down
    48
    ·
    10 months ago

    Don’t let your bias against Meta overcome critical thinking skills.

    As others have mentioned this is just incorrect. I’m no fan of Meta but you are a moron if you think this is happening.

    • CO_Chewie@sh.itjust.works
      link
      fedilink
      arrow-up
      76
      arrow-down
      3
      ·
      10 months ago

      Given this is the top comment it should be pointed out that while Proton was incorrect about this being Meta there is research out about TikTok doing this very thing.

      The way you’ve worded your comment makes it seem like this either can’t happen or isn’t happening and that simply isn’t the case.

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          17
          arrow-down
          2
          ·
          10 months ago

          All this to say you’re fine with TikTok grabbing your passwords? Because you don’t want to be xenophobic? Weird line but you do you.

            • zingo@lemmy.ca
              link
              fedilink
              arrow-up
              15
              arrow-down
              3
              ·
              10 months ago

              Tiktok is Chinese spyware.

              Facebook is American spyware.

              Stop using them!

              End of story.

            • KairuByte@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              8
              ·
              10 months ago

              This has nothing to do with being logged into TikTok. This is a link within the TikTok app keylogging credentials as they are entered.

              And for the record, “logged in” isn’t the same as “identified”. Browser and device fingerprinting is very much a thing, and is quite scary in how well it works.

              If you don’t think TikTok has CDNs (or that CDNs are used primarily for tracking?), it makes it clear you don’t actually know what you’re talking about.

              It’s clear you either don’t know, or are being disingenuous about, the dangers of a bad actor in current technology. Especially when most of your argument is “you don’t even need to log in, it’s just so safe!”

          • Omega_Haxors@lemmy.ml
            link
            fedilink
            arrow-up
            12
            arrow-down
            6
            ·
            edit-2
            10 months ago

            No, they’re right. They dropped all the bullshit charges the instant they were given control over DikDok’s servers. It was little more than a power play and because americans are so fucking racist that they don’t even realize how racist they are, they all bought it hook/line/sinker.

      • zingo@lemmy.ca
        link
        fedilink
        arrow-up
        13
        arrow-down
        4
        ·
        edit-2
        10 months ago

        Agreed, and who ever that still uses Facebook in 2024 really needs to get out and meet real ppl and get a life.

        Fuck 500 virtual friends. I’ll trade that in a second for 1 real friend IRL.

    • scarilog@lemmy.world
      link
      fedilink
      arrow-up
      15
      arrow-down
      5
      ·
      10 months ago

      Maybe not keylogging but it’s pretty fucking bad still, it tracks basically everything else about how you navigate when using the integrated browser.

  • ipkpjersi@lemmy.ml
    link
    fedilink
    arrow-up
    48
    arrow-down
    1
    ·
    edit-2
    10 months ago

    Holy shit, that should be illegal. I say should because I know there’s no way that it currently is.

    • airikr@lemmy.ml
      link
      fedilink
      arrow-up
      14
      arrow-down
      27
      ·
      10 months ago

      Microsoft do the same with Windows and as far as I know, they haven’t got fined for it.

    • Echo Dot@feddit.uk
      link
      fedilink
      arrow-up
      4
      arrow-down
      25
      ·
      10 months ago

      There’s also no way that it’s happening. You can’t key log with JavaScript. There’s something called cross domain policies or xDomainPolicy which prevent certain types of code being run on one website by a different website.

      • KairuByte@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        24
        arrow-down
        1
        ·
        10 months ago

        Cross domain policies are enforced by the browser. If you’re using a third party app, guess what you’re using as a browser.

        Want an easy example of this? Userscrips on Firefox. Install GreaseMonkey, and you can run whatever the hell you want on any webpage. Keylogging, mouse movements, clicks and navigations. Not hard, and impossible to really stop from the site itself, because no matter what you tell the browser to do, you essentially have to just hope the browser follows through.

        • Blue_Morpho@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          10 months ago

          If you’re using a third party app, guess what you’re using as a browser.

          Yes if you are inside Facebook and while inside Facebook click a link to go somewhere else you are still in Facebook and they will keylog everything.

          This is presented as if Facebook/Toktok can keylog everything.

        • Echo Dot@feddit.uk
          link
          fedilink
          arrow-up
          2
          arrow-down
          9
          ·
          10 months ago

          Somebody else is already pointed out that it’s already been debunked so no it wasn’t happening

          • FutileRecipe@lemmy.world
            link
            fedilink
            arrow-up
            8
            ·
            edit-2
            10 months ago

            And somebody else pointed out that that was debunked so yes it’s happening

            Edit: the point I’m hopefully making is that you’re just kinda saying stuff and not even bothering to post a source.

          • KairuByte@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            3
            ·
            10 months ago

            I was responding to your claim of “not happening, impossible” with proof of it being possible, and actually fairly easy to implement.

      • crab@lemm.ee
        link
        fedilink
        arrow-up
        20
        ·
        10 months ago

        But it’s not another website, it would be the web browser within the Facebook app, which could absolutely do that.

          • FutileRecipe@lemmy.world
            link
            fedilink
            arrow-up
            7
            arrow-down
            1
            ·
            edit-2
            10 months ago

            Except that this this has been debunked see below

            Edit: the point I’m hopefully making is that you’re just kinda saying stuff and not even bothering to post a source.

  • dez@lemmy.ml
    link
    fedilink
    arrow-up
    41
    arrow-down
    2
    ·
    10 months ago

    My main goal on year 2018 was delete facebook. Unfortunately im still using whatsapp just because everyone uses it and i have no other place to talk with my friends and family.

        • AlecSadler@sh.itjust.works
          link
          fedilink
          arrow-up
          6
          arrow-down
          5
          ·
          10 months ago

          I told my friends / family if they wanted to reach me, I’d be on Signal/Molly. Turns out it isn’t that hard to have them download a new app and use it.

          • e$tGyr#J2pqM8v@feddit.nl
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            10 months ago

            Same here, all the people I care about did. Those I don’t really care about use sms to contact me if they really have to. Of course I miss out on some groups on Whatsapp, but honestly I’m glad. It’s not really useful to be in a lot of Whatsapp groups, it mostly creates a lot of uninteresting messages for you to read.

      • Gabu@lemmy.ml
        link
        fedilink
        arrow-up
        7
        arrow-down
        6
        ·
        10 months ago

        Not popular enough. With Whatsapp you get to talk to pretty much everyone, from businesses to second hand sellers to your weird aunt that lives in the middle of the woods.

        • pedroapero@lemmy.ml
          link
          fedilink
          arrow-up
          4
          arrow-down
          2
          ·
          10 months ago

          None of those app is popular enough anyway. You still need sms + Whatsapp + a couple of others. So adding another one is not so much of a burden. Besides, it works just like Whatsapp from a user standpoint, and no password required.

          • Gabu@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            10 months ago

            Where I live it sure as fucking hell isn’t the case. Nobody uses SMS anymore, and effectively everyone uses Whatsapp.

    • pistachio@lemmy.ml
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      10 months ago

      I think (do correct if wrong!) the EU has approved an interoperability law for big tech companies? So it should be just a matter of time until you can switch messaging app and still be able to communicate with people on wa and big messaging apps

      Ofc if all your friends all use whatsapp zuck will still be able to read all your messages and get your phone number via your contacts… so it’s only a partial solution. Still better than nothing tho.

      Edit https://bgr.com/tech/whatsapp-and-facebook-messenger-are-gatekeepers-in-the-eu-prepare-to-be-confused/

      • e$tGyr#J2pqM8v@feddit.nl
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        10 months ago

        That link you added is being very very negative about it and even after reading it I really don’t understand why…

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      41
      ·
      edit-2
      10 months ago

      SMS is still a thing. You need to put your foot down to make it happen.

      Edit: May the Monty Python foot squish all downvoters into elderberry jam!

          • Darken@reddthat.com
            link
            fedilink
            arrow-up
            9
            arrow-down
            4
            ·
            10 months ago

            Not really, sms is barely noticed here, you must use WhatsApp messaging otherwise they will wait a Whatsapp call or a phone call

            • terminhell@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              4
              arrow-down
              5
              ·
              10 months ago

              Is it worth having your credentials sold or stolen cuz people might think less of how they receive the same message in text form from you?

            • Kecessa@sh.itjust.works
              link
              fedilink
              arrow-up
              11
              arrow-down
              13
              ·
              10 months ago

              Social drawback? WTF? People already have the app necessary on their phone and they must get SMS for other things, no?

              • OnToTheFuture@thelemmy.club
                link
                fedilink
                arrow-up
                13
                arrow-down
                2
                ·
                edit-2
                10 months ago

                Not every country has unlimited talk and text as a widely as others. I know my husband’s family uses what’s app because they can always hop on their WiFi or a neighbors and talk to family, but they can’t always afford to top up their minutes. The social drawback isn’t that they’ll look at you funny, it’s that they might literally not be able to communicate with you.

                Add in that some of those families also play hot potato with phones, swapping who has what phone almost weekly, something that follows the login and not the phone starts to make sense. I know there are better alternatives to what’s app and don’t defend it, but getting them as a whole to change apps so they can all communicate would mean a lot of work and energy I can say they don’t have these days.

              • TWeaK@lemm.ee
                link
                fedilink
                English
                arrow-up
                9
                arrow-down
                3
                ·
                10 months ago

                Probably referring to group chats and sharing media.

                My point is you need to put your foot down and say “I won’t use WhatsApp. If you want that functionality with me, we can use Signal, but otherwise SMS.”

                WhatsApp really doesn’t have any features that aren’t also in Signal, but Signal isn’t owned by Facebook and was never a vector for zero-click access to your device (NSO’s Pegasus toolkit used WhatsApp calls to get at Android phones, this was involved with Saudi Arabia’s execution of Jamal Khashoggi). WhatsApp is simply not trustworthy, and a massive security risk.

        • TWeaK@lemm.ee
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          10 months ago

          You say that as if WhatsApp is actually secure, as if Facebook haven’t filled it with backdoors. As if it wasn’t the vector for zero click access to Android phones in Pegasus. SMS could not do that (although iMessages did).

          • evanuggetpi@lemmy.nz
            link
            fedilink
            arrow-up
            1
            ·
            10 months ago

            Holy shit, if you’re being targeted by nation states or other seriously motivated actors with Pegasus level spyware then they will get you. For everyone else, encrypted platforms like Signal or, yes, WhatsApp, are more secure than fucking SMS.

    • Bizarroland@kbin.social
      link
      fedilink
      arrow-up
      17
      arrow-down
      2
      ·
      10 months ago

      Not so simple solution, because other people are using meta products and using them on you without telling you about it.

      Use firefox, and install the Facebook container extension so that meta cannot read your data on the internet.

      • IdiosyncraticIdiot@sh.itjust.works
        link
        fedilink
        arrow-up
        9
        arrow-down
        1
        ·
        10 months ago

        Although i still disagree with using facebook at all, and sorta unsure what you mean by “because other people are using meta products and using them on you without telling you about it” (websites using meta based SaaS products maybe), if the facebook container extension is anything like the aws container extension, I bet it’s a pretty good recommendation. Firefox ALWAYS the best recommendation

      • reev@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        5
        ·
        edit-2
        10 months ago

        Are they still a victim if they’ve been yelled at for close to a decade that these kinds of things are the standard for Facebook/Meta? I’ve tried telling friends and family so damn often but they just don’t care.

        It’s like giving someone you pass on the street your ID, walking away and thinking “man, I can’t believe that guy has my ID”. I’m with you if they really don’t know, I’m sure many don’t. But so many know fully well and just don’t care.

        If you ask me both are to blame. Meta is only in a position where they get away with this stuff because people are practically encouraging it.

        • lseif@sopuli.xyz
          link
          fedilink
          arrow-up
          5
          arrow-down
          3
          ·
          10 months ago

          of course there is nuance. you are correct that both are to blame, but many people need to use facebook for family, friends, or work. it sucks that we as a society are so reliant on these companies, but thats how it is.

          just saying ‘dont use facebook’ is useless. we can advocate for changes at the same time as encouraging people to alternatives. its the same argument with windows/linux.

          • Cringe2793@lemmy.world
            link
            fedilink
            arrow-up
            8
            arrow-down
            1
            ·
            10 months ago

            I mean, it’s not that hard to just don’t. If anyone asks, just say I don’t use Facebook. And if they bitch, then so be it.

            If they share you Facebook links, click it if you must, but don’t log in. If you can’t watch the video because you don’t log in, then too bad.

            If it’s for work, then create a work account if absolutely necessary, but don’t use it for your personal shit.

            It’s really that easy.

      • nothingcorporate@lemmy.today
        link
        fedilink
        arrow-up
        7
        ·
        10 months ago

        Also, lots of sites embed the Meta Pixel. So to avoid it, you have to go into your cookie settings and block all of Meta’s domains and hope you don’t miss one. The internet was supposed to be a platform for all, by all…yet corporations have found a way to ruin the entire place.

      • Mango@lemmy.world
        link
        fedilink
        arrow-up
        11
        arrow-down
        8
        ·
        edit-2
        10 months ago

        Are you a victim when you walk into the BDSM club, sign the waivers, call safe words a conspiracy, and cry rape afterwards?

        Edit: How about if you go back in after that?

      • oce 🐆@jlai.lu
        link
        fedilink
        arrow-up
        5
        arrow-down
        8
        ·
        10 months ago

        There is information available to make an informed choice, but they don’t. Is there really no guilt?

    • Ferris@infosec.pub
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      10 months ago

      ‘foresight’ is a gift provided to some folks who conceive things a little outside the norm, i suppose.

  • cayslaconic0j@lemmy.ml
    link
    fedilink
    arrow-up
    21
    ·
    10 months ago

    I use all social media in browser to give them less access to my device. I clear cache / cookies after use every time. Hopefully that gives them far less personal data.

  • pedroapero@lemmy.ml
    link
    fedilink
    arrow-up
    17
    arrow-down
    1
    ·
    10 months ago

    The Facebook mobile webapp works just fine nowadays. Pretty sure it’s even possible to enable notifications in most web browsers. I still don’t get why people are willfully installing apps instead of just pinning web browser bookmarks.

  • ginerel@kbin.social
    link
    fedilink
    arrow-up
    9
    ·
    10 months ago

    That’s why I set up 2FA on whatever account I can grab my hand on. It sucks that I cannot do it on every single one I have (e.g. some popular names like Spotify, last.fm, Bandcamp or Feedly do not support it, for example), but for every account that I do have, 2FA has become critical lately.

  • mctoasterson@reddthat.com
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    10 months ago

    This is especially nefarious paired with their other practices. Many phones stock ROMs also ship with preinstalled bloatware including TikTok and Facebook crap.

    I had to use Android developer tools (ADB powershell commands) to remove multiple facebook and tiktok packages from a friends new phone because they can’t be removed any other way. There was no “user visible” FB app but several packages were present and makes me think FB crap may run as “background” by default on several vendors stock ROMs. Irritating and deceiving to the consumer.

    I also blacklist all their domains using PiHole so nothing on my home network can covertly back channel any data to their mothership. (Currently using Developer Dan’s lists from GitHub - the Facebook list alone has almost 30,000 hosts on it)

    These big tech surveillance bros can get clapped.