You must log in or register to comment.
Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
Anyone have any links/sources?
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
This paragraph from the article links to this article in question:
https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690
This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
That lines up with everything I’ve read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with “Whatabout America spying?” posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.
I dug up this mastodon post and they cited this:
https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.
I guess they mean all the tech companies try to block each other so that they collect all the data themselves…
deleted by creator
I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.
Yes, JavaScript injection tests come back with extra code when opened from within instagram.
Some people in this thread are claiming the article doesn’t mention Facebook.
I actually read the article. You’re welcome.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
Edit: The article Proton got their info from.
Kraus makes very clear that while Meta apps are also injecting javascript, that he only has evidence of TikTok doing “keylogging” type activities. Both Gizmodo and ProtonMail are wrong in that regard.
It’s like nobody has real media literacy anymore, even media organizations.
But I want to outrage at sensationalized headlines and tweets :(
Holy shit, that should be illegal. I say should because I know there’s no way that it currently is.
Microsoft do the same with Windows and as far as I know, they haven’t got fined for it.
Do you have a source for that or you just making it up?
Its supposedly to learn typing habits. Heres how you turn it off.
Multiple. I understand that many of you won’t believe or just don’t know about Microsoft’s spying, but that’s the reality. It can happen that I can have wrong with certain things (I’m only human, remember that), but Microsoft spying on you is the fact of why I now using Linux as my main operating system since 2015/2016.
- Disable Keylogger in Windows 11 to Stop Microsoft from Collecting Your Data
- Where does Windows 10 save Keyboard input?
- Windows 11 Keylogger: How to Detect & Disable it
- From a ex-employee at Microsoft: You won’t believe what happens when I turn off Windows 10 telemetry! - @Barnacules
- Microsoft’s own privacy policy page (hit “Learn more” under “Personal data we collect” and scroll down to the bullet list for “Interactions”)
There is a lot more proof out there, but I can’t think straight to be able to find them. So if you want to dig some more, by all means, do it.
There’s also no way that it’s happening. You can’t key log with JavaScript. There’s something called cross domain policies or xDomainPolicy which prevent certain types of code being run on one website by a different website.
Cross domain policies are enforced by the browser. If you’re using a third party app, guess what you’re using as a browser.
Want an easy example of this? Userscrips on Firefox. Install GreaseMonkey, and you can run whatever the hell you want on any webpage. Keylogging, mouse movements, clicks and navigations. Not hard, and impossible to really stop from the site itself, because no matter what you tell the browser to do, you essentially have to just hope the browser follows through.
Somebody else is already pointed out that it’s already been debunked so no it wasn’t happening
I was responding to your claim of “not happening, impossible” with proof of it being possible, and actually fairly easy to implement.
But it’s not another website, it would be the web browser within the Facebook app, which could absolutely do that.
Except this is already being debunked see above
My main goal on year 2018 was delete facebook. Unfortunately im still using whatsapp just because everyone uses it and i have no other place to talk with my friends and family.
Signal, bro.
Not popular enough. With Whatsapp you get to talk to pretty much everyone, from businesses to second hand sellers to your weird aunt that lives in the middle of the woods.
None of those app is popular enough anyway. You still need sms + Whatsapp + a couple of others. So adding another one is not so much of a burden. Besides, it works just like Whatsapp from a user standpoint, and no password required.
No one is important enough to justify using WhatsApp
Not everyone can live as a hermit to fulfil their Zucc-hate boner. Some of us have lives.
Then install signal and tell them you’re on there. Clearly you’re important enough for people to use signal, since you have a life
Riiight, because the corner shop will start using signal just for you…
I think (do correct if wrong!) the EU has approved an interoperability law for big tech companies? So it should be just a matter of time until you can switch messaging app and still be able to communicate with people on wa and big messaging apps
Ofc if your friends all use whatsapp zuck will still be able to read all your messages and get your phone number via your contacts… so it’s only a partial solution. Still better than nothing tho.
That link you added is being very very negative about it and even after reading it I really don’t understand why…
SMS is still a thing. You need to put your foot down to make it happen.
Nobody uses SMS in my country.
It still works though doesn’t it?
deleted by creator
SMS is unencrypted
You say that as if WhatsApp is actually secure, as if Facebook haven’t filled it with backdoors. As if it wasn’t the vector for zero click access to Android phones in Pegasus. SMS could not do that (although iMessages did).
Simple solution: stop using meta products
Not so simple solution, because other people are using meta products and using them on you without telling you about it.
Use firefox, and install the Facebook container extension so that meta cannot read your data on the internet.
Although i still disagree with using facebook at all, and sorta unsure what you mean by “because other people are using meta products and using them on you without telling you about it” (websites using meta based SaaS products maybe), if the facebook container extension is anything like the aws container extension, I bet it’s a pretty good recommendation. Firefox ALWAYS the best recommendation
You’d hope the container would do the trick
Facebook keylogs anything, even outside of FB in all pages with FB APIs (any page with an FB share button), if you don’t block it with an half a dozen extensions and scripts. For Example with
The source article from a security researcher Felix Krause:
I use all social media in browser to give them less access to my device. I clear cache / cookies after use every time. Hopefully that gives them far less personal data.
If you’re an android user you might be very interested in the “Hermit” browser
https://play.google.com/store/apps/details?id=com.chimbori.hermitcrab
When I was using Facebook I used one of the third party apps - they’re basically a web browser that only browses Facebook, thereby isolating Facebook from any other internet traffic.
So they’re just actually pushing malware now?
Always has been.
The Facebook mobile webapp works just fine nowadays. Pretty sure it’s even possible to enable notifications in most web browsers. I still don’t get why people are willfully installing apps instead of just pinning web browser bookmarks.
That’s why I set up 2FA on whatever account I can grab my hand on. It sucks that I cannot do it on every single one I have (e.g. some popular names like Spotify, last.fm, Bandcamp or Feedly do not support it, for example), but for every account that I do have, 2FA has become critical lately.
This is especially nefarious paired with their other practices. Many phones stock ROMs also ship with preinstalled bloatware including TikTok and Facebook crap.
I had to use Android developer tools (ADB powershell commands) to remove multiple facebook and tiktok packages from a friends new phone because they can’t be removed any other way. There was no “user visible” FB app but several packages were present and makes me think FB crap may run as “background” by default on several vendors stock ROMs. Irritating and deceiving to the consumer.
I also blacklist all their domains using PiHole so nothing on my home network can covertly back channel any data to their mothership. (Currently using Developer Dan’s lists from GitHub - the Facebook list alone has almost 30,000 hosts on it)
These big tech surveillance bros can get clapped.
Laughs in GrapheneOS
Does Google also do this with their in-app browser in their search app?
