Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
This paragraph from the article links to this article in question:
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
That lines up with everything I’ve read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with “Whatabout America spying?” posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.
I’m always thinking about Chinese intellegency agency thinking 10 years ago: “How can we create a spyware that everyone will use so we can collect all the data we want without too much troubles?”. Then they looked at Facebook doing the same for profit and they understood that all they have to do is to create a well designed social media app and make it so trendy that people will be diverted enough to not think about the spying issue. And then they fucking nailed it, it worked so well, I’m impressed. The average people do happily through away their private life for a shot of well crafted trendy entertainment everyday. All the revelations about spying didn’t stop the growth one bit.
nobody’s trying to normalize that. Just calling out the blatant hypocrisy. These social media companies started in US long ago and it has more data than you can possibly imagine, People suddenly mad when a foreign company starts doing something nefarious is on brand for people who want to point fingers at everyone else but themselves.
Facebook started when https was very rare, browsers sent login authentication in plain text, internet explorer was still popular and they probably exploited way more vulnerabilities that Tiktok ever did. Facebook, Google, Twitter tracked users through share buttons on websites. Everyone installed multiple Internet explorer addons with nefarious permissions, malicious code without a single thought. Their owners are billionaires now, exploiting, tracking and selling your data to whoever pays best. It was all common knowledge.
Where were these concerns for a decade before tiktok even was a thought. If social media companies were held responsible for privacy of the users, when Facebook, twitter were gaining hold, Tiktok wouldn’t even be able to follow on their footsteps.
I don’t use Facebook anymore and never have used tiktok, but fuck all concern trolling once someone other takes your cake. You reap what you sow.
Objectively false, seeing how Snowden lives in Russia, Assange is actively drugged and tortured, and Chelsea Manning was brainwashed/threatened and became an active NATO spokesperson (and a DJ, but that is just for optics).
The privacy invasion by Western governments and corporations is astronomically normalised amongst the masses, and anyone who does not participate in the digital data rape rituals is a weirdo heretic.
You make a good point worth considering. For all non-USians/non-Chinese out there, all those social media giants are foreign corporations belonging to foreign powers.
The spying part of it is bad for the spying, not for who’s doing it.
Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
Anyone have any links/sources?
EDIT:
Found the source post: https://mastodon.social/@protonmail/111699323585240444
and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
This paragraph from the article links to this article in question:
https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690
This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:
https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
That lines up with everything I’ve read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with “Whatabout America spying?” posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.
I’m always thinking about Chinese intellegency agency thinking 10 years ago: “How can we create a spyware that everyone will use so we can collect all the data we want without too much troubles?”. Then they looked at Facebook doing the same for profit and they understood that all they have to do is to create a well designed social media app and make it so trendy that people will be diverted enough to not think about the spying issue. And then they fucking nailed it, it worked so well, I’m impressed. The average people do happily through away their private life for a shot of well crafted trendy entertainment everyday. All the revelations about spying didn’t stop the growth one bit.
nobody’s trying to normalize that. Just calling out the blatant hypocrisy. These social media companies started in US long ago and it has more data than you can possibly imagine, People suddenly mad when a foreign company starts doing something nefarious is on brand for people who want to point fingers at everyone else but themselves.
Facebook started when https was very rare, browsers sent login authentication in plain text, internet explorer was still popular and they probably exploited way more vulnerabilities that Tiktok ever did. Facebook, Google, Twitter tracked users through share buttons on websites. Everyone installed multiple Internet explorer addons with nefarious permissions, malicious code without a single thought. Their owners are billionaires now, exploiting, tracking and selling your data to whoever pays best. It was all common knowledge.
Where were these concerns for a decade before tiktok even was a thought. If social media companies were held responsible for privacy of the users, when Facebook, twitter were gaining hold, Tiktok wouldn’t even be able to follow on their footsteps.
I don’t use Facebook anymore and never have used tiktok, but fuck all concern trolling once someone other takes your cake. You reap what you sow.
Stay mad tho
Objectively false, seeing how Snowden lives in Russia, Assange is actively drugged and tortured, and Chelsea Manning was brainwashed/threatened and became an active NATO spokesperson (and a DJ, but that is just for optics).
The privacy invasion by Western governments and corporations is astronomically normalised amongst the masses, and anyone who does not participate in the digital data rape rituals is a weirdo heretic.
You make a good point worth considering. For all non-USians/non-Chinese out there, all those social media giants are foreign corporations belonging to foreign powers.
The spying part of it is bad for the spying, not for who’s doing it.
What the fuck are you talking about “Stay mad tho” ? It sounds like you agreed with what I said mostly. This shit is all bad, and that was my point.
They might not sue to avoid bringing more attention to it.
It might be better to archive.is and archive.org it.
I dug up this mastodon post and they cited this:
https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.
I guess they mean all the tech companies try to block each other so that they collect all the data themselves…
deleted by creator
I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.
Yes, JavaScript injection tests come back with extra code when opened from within instagram.