1013
Heads up. Facebook keylogs your passwords. (midwest.social)
submitted 8 months ago by Jezebelley3D@midwest.social to c/privacy@lemmy.ml
134 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] KLISHDFSDF@lemmy.ml 189 points 8 months ago* (last edited 8 months ago)

Although completely believable and in-line knowing Meta/Facebook's history, is there any evidence to support this claim? I'm sure it's, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.

Anyone have any links/sources?

EDIT:

Found the source post: https://mastodon.social/@protonmail/111699323585240444

and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018

[-] SnotFlickerman@lemmy.blahaj.zone 205 points 8 months ago* (last edited 8 months ago)

TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.

--

I found the same sources, but if you'll notice, the article that ProtonMail linked to actually isn't about that. It's about a different and new Facebook thing that has iffy privacy settings as well.

It links to another Gizmodo article about it, buried deep in ONE paragraph.

The problem? That article is about TikTok and the things detailed about the javascript injected that's keylogging is all related to TikTok.

When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

This paragraph from the article links to this article in question:

https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690

This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:

https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.

Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.

[-] RaoulDook@lemmy.world 64 points 8 months ago

That lines up with everything I've read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with "Whatabout America spying?" posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.

[-] oce@jlai.lu 23 points 8 months ago* (last edited 8 months ago)

I'm always thinking about Chinese intellegency agency thinking 10 years ago: "How can we create a spyware that everyone will use so we can collect all the data we want without too much troubles?". Then they looked at Facebook doing the same for profit and they understood that all they have to do is to create a well designed social media app and make it so trendy that people will be diverted enough to not think about the spying issue. And then they fucking nailed it, it worked so well, I'm impressed. The average people do happily through away their private life for a shot of well crafted trendy entertainment everyday. All the revelations about spying didn't stop the growth one bit.

[-] pop@lemmy.ml 9 points 8 months ago* (last edited 8 months ago)

Whatabout America spying?

nobody's trying to normalize that. Just calling out the blatant hypocrisy. These social media companies started in US long ago and it has more data than you can possibly imagine, People suddenly mad when a foreign company starts doing something nefarious is on brand for people who want to point fingers at everyone else but themselves.

Facebook started when https was very rare, browsers sent login authentication in plain text, internet explorer was still popular and they probably exploited way more vulnerabilities that Tiktok ever did. Facebook, Google, Twitter tracked users through share buttons on websites. Everyone installed multiple Internet explorer addons with nefarious permissions, malicious code without a single thought. Their owners are billionaires now, exploiting, tracking and selling your data to whoever pays best. It was all common knowledge.

Where were these concerns for a decade before tiktok even was a thought. If social media companies were held responsible for privacy of the users, when Facebook, twitter were gaining hold, Tiktok wouldn't even be able to follow on their footsteps.

I don't use Facebook anymore and never have used tiktok, but fuck all concern trolling once someone other takes your cake. You reap what you sow.

Stay mad tho

load more comments (3 replies)
[-] Venat0r@lemmy.world 17 points 8 months ago

They might not sue to avoid bringing more attention to it.

load more comments (1 replies)
[-] Shadow@lemmy.ca 25 points 8 months ago
[-] Zeroc00l@sh.itjust.works 20 points 8 months ago

I'm quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: "[as] Apple and Google beef up privacy".

I guess they mean all the tech companies try to block each other so that they collect all the data themselves...

[-] Shirasho@lemmings.world 10 points 8 months ago

I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.

load more comments (1 replies)
[-] Luci@lemmy.ca 80 points 8 months ago* (last edited 8 months ago)

Some people in this thread are claiming the article doesn't mention Facebook.

I actually read the article. You're welcome.

When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

Edit: The article Proton got their info from.

[-] SnotFlickerman@lemmy.blahaj.zone 77 points 8 months ago

https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

Kraus makes very clear that while Meta apps are also injecting javascript, that he only has evidence of TikTok doing "keylogging" type activities. Both Gizmodo and ProtonMail are wrong in that regard.

It's like nobody has real media literacy anymore, even media organizations.

[-] Poggervania@kbin.social 10 points 8 months ago* (last edited 8 months ago)

But I want to outrage at sensationalized headlines and tweets :( How can I do that if I actually read the articles?

load more comments (3 replies)
[-] DingoBilly@lemmy.world 61 points 8 months ago

Don't let your bias against Meta overcome critical thinking skills.

As others have mentioned this is just incorrect. I'm no fan of Meta but you are a moron if you think this is happening.

[-] CO_Chewie@sh.itjust.works 73 points 8 months ago

Given this is the top comment it should be pointed out that while Proton was incorrect about this being Meta there is research out about TikTok doing this very thing.

The way you've worded your comment makes it seem like this either can't happen or isn't happening and that simply isn't the case.

load more comments (20 replies)
[-] pyrflie@lemm.ee 35 points 8 months ago* (last edited 8 months ago)

You're a moron if you think only Meta is doing this. Teams on Windows is a keystroke logger and has been since launch. It records even mouse movements by microseconds in a plain txt file.

If you are using a mobile app, it's a pretty good bet it's logging every input.

[-] zingo@lemmy.ca 9 points 8 months ago* (last edited 8 months ago)

Agreed, and who ever that still uses Facebook in 2024 really needs to get out and meet real ppl and get a life.

Fuck 500 virtual friends. I'll trade that in a second for 1 real true friend IRL.

load more comments (1 replies)
[-] scarilog@lemmy.world 10 points 8 months ago

Maybe not keylogging but it's pretty fucking bad still, it tracks basically everything else about how you navigate when using the integrated browser.

[-] ipkpjersi@lemmy.ml 47 points 8 months ago* (last edited 8 months ago)

Holy shit, that should be illegal. I say should because I know there's no way that it currently is.

load more comments (21 replies)
[-] dez@lemmy.ml 38 points 8 months ago

My main goal on year 2018 was delete facebook. Unfortunately im still using whatsapp just because everyone uses it and i have no other place to talk with my friends and family.

[-] where_am_i@sh.itjust.works 17 points 8 months ago

Signal, bro.

[-] Crashumbc@lemmy.world 36 points 8 months ago

To do what exactly? Talk to myself?

load more comments (2 replies)
load more comments (8 replies)
load more comments (15 replies)
[-] IdiosyncraticIdiot@sh.itjust.works 37 points 8 months ago

Simple solution: stop using meta products

[-] Bizarroland@kbin.social 15 points 8 months ago

Not so simple solution, because other people are using meta products and using them on you without telling you about it.

Use firefox, and install the Facebook container extension so that meta cannot read your data on the internet.

load more comments (2 replies)
load more comments (6 replies)
[-] Zerush@lemmy.ml 35 points 8 months ago

Facebook keylogs anything, even outside of FB in all pages with FB APIs (any page with an FB share button), if you don't block it with an half a dozen extensions and scripts. For Example with

[-] joe_archer@lemmy.world 33 points 8 months ago

If you're still using the Facebook app in 2024 you deserve everything you get.

[-] lseif@sopuli.xyz 51 points 8 months ago

dont blame the victim.

[-] reev@sh.itjust.works 12 points 8 months ago* (last edited 8 months ago)

Are they still a victim if they've been yelled at for close to a decade that these kinds of things are the standard for Facebook/Meta? I've tried telling friends and family so damn often but they just don't care.

It's like giving someone you pass on the street your ID, walking away and thinking "man, I can't believe that guy has my ID". I'm with you if they really don't know, I'm sure many don't. But so many know fully well and just don't care.

If you ask me both are to blame. Meta is only in a position where they get away with this stuff because people are practically encouraging it.

load more comments (2 replies)
load more comments (3 replies)
load more comments (2 replies)
[-] willington@lemmy.dbzer0.com 26 points 8 months ago* (last edited 8 months ago)

The source article from a security researcher Felix Krause:

https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

[-] cayslaconic0j@lemmy.ml 21 points 8 months ago

I use all social media in browser to give them less access to my device. I clear cache / cookies after use every time. Hopefully that gives them far less personal data.

load more comments (2 replies)
[-] Xariphon@kbin.social 16 points 8 months ago

So they're just actually pushing malware now?

[-] Isoprenoid@programming.dev 22 points 8 months ago

Always has been.

[-] pedroapero@lemmy.ml 16 points 8 months ago

The Facebook mobile webapp works just fine nowadays. Pretty sure it's even possible to enable notifications in most web browsers. I still don't get why people are willfully installing apps instead of just pinning web browser bookmarks.

load more comments (1 replies)
[-] ginerel@kbin.social 9 points 8 months ago

That's why I set up 2FA on whatever account I can grab my hand on. It sucks that I cannot do it on every single one I have (e.g. some popular names like Spotify, last.fm, Bandcamp or Feedly do not support it, for example), but for every account that I do have, 2FA has become critical lately.

[-] TheAnonymouseJoker@lemmy.ml 9 points 8 months ago* (last edited 8 months ago)

Just block off *.facebook.com in uBlock Origin rules on Firefox (not possible on Chrome) or in system HOSTS ruleset. Leave out the fbcdn.net domain as it only acts as a CDN for videos and images.

Edit: fuck you GrapheneOS, for almost 2 months now, they are mass downvoting my comments, and doing voting manipulation, also abusing federation

load more comments (8 replies)
load more comments
view more: next ›
this post was submitted on 04 Jan 2024
1013 points (94.9% liked)

Privacy

31255 readers
381 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz