Email or username:

Password:

Forgot your password?
Noelle :verified:

"... the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing."

What the hell?? This is so creepy.

#Meta #JavaScript #Privacy #web #SocialMedia #News #Threads

gizmodo.com/meet-link-history-

65 comments
Michael Gale

@noellemitchell So gross!

edit: TL;DR- Facebook container can’t help with in-app browsing.

Noelle :verified:

@miclgael That's a good point, I wonder if installing that helps with this issue.

tasket

@noellemitchell @miclgael My understanding is that #Firefox now protects you (like the container did) by default. Enhanced Tracking Protection is turned on by default. developer.mozilla.org/en-US/do

However... there may be non-tracking issues it can't remedy, like keylogging. When you interact with a website (really use it) you have to trust it. If that site adds a 3rd-party keylogger then they have a deal to share your data with "partners" anyway. The EU has laws against this but we don't.

@noellemitchell @miclgael My understanding is that #Firefox now protects you (like the container did) by default. Enhanced Tracking Protection is turned on by default. developer.mozilla.org/en-US/do

However... there may be non-tracking issues it can't remedy, like keylogging. When you interact with a website (really use it) you have to trust it. If that site adds a 3rd-party keylogger then they have a deal to share your data with "partners" anyway. The EU...

tasket

@noellemitchell @miclgael The "loads in special Facebook browser" is probably a practice that Apple and Android could force them to stop. They already place strong restrictions on anything considered to be a 3rd party web browser.

Jason Lefkowitz

@miclgael @noellemitchell It looks like the technique requires you to use the in-app browser in the Facebook app or TikTok app or whatever to work, rather than using a standalone browser. If you use the Facebook app’s in-app browser, the Facebook app can inject whatever tracking scripts it wants into it.

gizmodo.com/tiktok-keylogging-

tasket

@jalefkowit TBH, Meta deploying their own browser and trying to keep people in there (and convince them its a cool feature) smacks of desperation. 3rd party tracking pixels & cookies have been neutered by a growing number of browsers, so Meta is trying to become the 1st party browser.

Instructions for doing anything on the web should insert a zeroth step: "First, exit the Meta browser and then..." 🙂

JW prince of CPH

@jalefkowit @miclgael @noellemitchell Of note: Every single "Privacy Washing" initiative - i.e. some sort of on-by-default tracking they try to convince you to consent to - from every single corporate social media = thing they're doing anyway, whether you consent or not, sometimes whether you're using their service or not (remember Facebook Beacon?).

It's just an effort to create enough noise to obfuscate their spying.

Alf No Problem

@miclgael @noellemitchell Better yet - do not use Facebook and delete their apps from your phone. Easy. Done that 4 years ago. Cheers! :-)

Kofani

@AlfNoProblem @miclgael @noellemitchell heh, you now with us here, we are better then your old keyswaspressedlogger)

Josh

@AlfNoProblem @miclgael Wish I could, I have friends who won't use anything else and who I might lose touch with if I just stopped using it. They should have to use an open protocol for chat imo.

cuan_knaggs

@miclgael @noellemitchell this is about the app and the app using it's own browser in the app. using FB with out the app and in a real browser mitigates some of this. but if you're you're talking containers in FF look at:
- addons.mozilla.org/en-GB/firef
- addons.mozilla.org/en-GB/firef

Matt Kaatman

@noellemitchell for those who are inclined, #pihole lets you block Facebook entirely.

Matt Kaatman

@noellemitchell "Facebook promises to delete the Link History it’s created for you within 90 days if you turn the setting off." That is super rich considering at a recent deposition, two distinguished engineers testified that no one at Facebook even knows all the systems a users data is stored in and it would be a monumental effort to find it all.

DeManiak 🇿🇦 🐧

@noellemitchell worst parts of this
- Gizmodo wants me to grant it, and 700+ of it's partners the right to track my ass with cookies
- The thought of trying to explain to my family why the Meta link tracking thing is bad.... I just can't . I can just hear the responses: "So? I got nothing to hide!"

Rev. GothAlice

@noellemitchell I used to build systems like these as customer service, diagnostic, and performance analysis tools. Here's a really early one from one of the earliest versions of my Python web framework, WebCore.

The "alt text" explains the images quite a bit. Later versions could "watch live" (like Remote Desktop!) by user or specific session to aid in live support. Chains of requests leading to a bug could be replayed in development, to aid in reproduction, correction, and regression testing.

Web application performance statistics arranged in a horizontal scatter plot. There are two, covering the ranges of the last hour, and the last day. The horizontal axis is time of the request, the vertical axis represents response generation time.

Each range of HTTP status code—client or server error, redirection, or OK—is given a different symbol with a different colour. Each can be focused or hovered over to expose a few details of the request, such as endpoint path, exact response status, exact date and time of the request, authenticated username, time taken to respond, and session ID. Clicking or activating one will bring you to request/response details; the second screenshot.
The details of a specific logged request and response. Broken into sections: general details, request environment, request headers, response headers, and "beaker" session. Later versions incorporated additional sections such as logs generated during the request/response cycle, and database queries issued, as well as the ability to view the exact response issued to the client.
Rev. GothAlice

@noellemitchell WebCore version 0.6.1 (from the footer of the pages) was released on February 9th, 2010.

And, funnily enough, I did not actually include this as a framework feature due to the risk of it being "too evil"—too easy to abuse or unintentionally expose to data theft. Does everyone really check that they've properly configured all of the sensitive variable names, so they aren't captured?

I've worked with PHP in the past.
Everyone does not. 😜

@noellemitchell WebCore version 0.6.1 (from the footer of the pages) was released on February 9th, 2010.

And, funnily enough, I did not actually include this as a framework feature due to the risk of it being "too evil"—too easy to abuse or unintentionally expose to data theft. Does everyone really check that they've properly configured all of the sensitive variable names, so they aren't captured?

ideaPDish

@noellemitchell
What happened to the days of focus groups as proxies for usability.

ideaPDish

@noellemitchell
I mean, focus grops who get paid...
For their honest opinions, not free intern suckups.

Schneckbert 🐌

@noellemitchell And this is why EVERYBODY must use noscript and adblockers - and avoid facebook and anything Meta like the plague. Because thats what it is. A plague.

Beachbum

@noellemitchell the alert has been put out about Facebook meta-and TikTok for a couple years now. They are all a huge danger. It’s not just creepy, it’s downright damn dangerous ⚠️

tasket

@noellemitchell Noelle, please consider adding #Threads to the hashtags in this post.

Noelle :verified:

@tasket I didn't think of adding that tag, I'll edit the post and add it.

Bob Tregilus 🐧 📷

@noellemitchell And that is just another reason I have a dedicated browser for FB and Insta. I do nothing else with that browser. And I don't have FB or Insta apps on my phone, nor do I visit their sites with my phone. And I'm going to try real hard to delete my accounts this year.

nellie-m

@elaterite @noellemitchell

Years ago I used to have two FB accounts, work-related, that I deleted after finding out about Facebook’s role in Brexit.

I felt so much better afterwards.

yunchtime

@noellemitchell

Is there no way to stop the fiendish tapeworm named Zuckerberg from attaching itself to our brains?

mike805

@yunchtime @noellemitchell Yes, there is. Do not run any apps from meta. If you must look at facebook use a browser.

Kai

@noellemitchell The TikTok app does the same. I haven't used meta services for 10 years (partly because they use hate as a business model) and I don't use the TikTok app either

DELETED

@noellemitchell
You should look up the connections between Peter Thiel, Mark Zuckerberg, and Elon Musk.
Look up Palantir which was started by Thiel and how it is used by police and intelligence agencies. Don't touch anything connected with Palantir, Peter Thiel, Zuck or Elon.

Dr. Motte

@noellemitchell

#Facebook hat v kurzem neue Einstellung f "#Linkverlauf" eingeführt, mit d ein spezieller Speicher für alle Links angelegt wird, auf d Sie i d mobilen #App klicken. Nutzer können sich dagegen entscheiden,aber Linkverlauf ist standardmäßig aktiviert, Daten werden für gezielte Werbung verwendet. Während Gesetzgeber technische Vorschriften einführt & #Apple & #Google Datenschutzbestimmungen verschärfen, sucht #Meta nach neuen Wegen, um sein Imperium des Datensammelns zu erhalten.

🌸Lilyana Marie🌸

@noellemitchell Why FB and Tiktok are both domain and IP blocked on my network. There is an internal proxy server available that does allow access if needed. Lets me still use it in a separate browser profile without the risks.

Jiko Rojino

@noellemitchell

I don't have Facebook, Instagram nor WhatsApp on my phone. I've also enabled DuckDuckGo App Tracking Protection. Does that mean I'm safe from Meta's "Link History" and Metapixel tracking?

Noelle :verified:

@jikodesu From what the article says it sounds like everyone is tracked by the Metapixel when you go to a website that has it installed on the site. There might be tracking blockers that can block it but I'm not sure.

Dunbar's Number

@noellemitchell @mxtthxw for anyone who is reading this, please make sure you're using #Firefox with #uBlock Origin and also if you're up for the learning curve, #LibRedirect, though that's not really helpful if you have to log in.

I would also like to suggest trying to migrate over to #PixelFed as an #Instagram replacement and #Friendica as a #Facebook replacement. It took me years to start using my #Mastodon account, the first step is creating it.

If you build it, they will come!

PKPs Powerfromspace1

@noellemitchell we found the privacy hacking security threat it is coming from within the premises 🙄

Marton

@noellemitchell Fortunately on iOS you can turn on external browsing in Messenger.

Noelle :verified:

@marveltech That's good, I'm not sure if Android has that option or not.

__Miguel_

@noellemitchell I feel icky just by reading the toot 🤮

Miro Collas

@noellemitchell Yet people continue to use Meta platforms. :facepalm:

Saphkey 🕊️

@noellemitchell This is why if you need to use facebook, don't use the app.
Use a web-browser app. Ideally one that tracks less, such as Mozilla Firefox.

On android Firefox you can even install extensions like uBlock Origin for extra ad-blocking and tracking protection.

DELETED

@noellemitchell

If people were wise, they would never (ever) install any Meta apps onto their devices.

ADisorderlyFashion

@noellemitchell I thought recalled them doing the same thing on desktop browsers nearly a decade ago, and since then I've assumed they were definitely doing that on mobile, since everyone just kind of always has a phone on them and turned on at all times, with things like GPS chips and various sensors they can use to get more percise information about where exactly you are, what you're doing, who's with you, etc.

Estarriol, Cat owned Dragon

@noellemitchell why don't they just rebrand as Evil.Inc and be done with it.

DELETED

@noellemitchell But all this is to improve the service to users and provide them with the most useful information to meet their needs.
Isn't it?
Or perhaps?
I wouldn't join Facebook if I were you. I didn't.
Safer.
Surely.

Alex :zelda:

And TikTok still uses it's own WebView evident by the custom User-Agent, but at least it doesn't seem to inject it's own js code

DELETED

@noellemitchell

I never ever trusted FACEBOOK and was never a member.

Flock of Cats 🐈 🐈 🐈 🦃

@noellemitchell

Dumb question: how does this stuff get allowed into the App Store?

If a smol developer slipped a keylogger into an app, wouldn’t that get shut down immediately?

kasperd
I don't use the app and I don't intend to install it to verify your claim. Assuming the description is accurate I regard that as a kind of phishing. Users who fall for it think they are typing their password into some website, but in reality they are typing their password into an app controlled by Meta.

Security aware users can protect themselves against this in the same way they protect against other phishing attacks. If you need to log in on a website you don't do it using a link you received through email, Facebook, or other similar channels.

Instead you open the login page using a browser bookmark. Once logged in you can open the link you received if it is from a trustworthy source. If you are then prompted with a login page you know it's phishing.

This assumes there aren't other security vulnerabilities in the browser or the platform. If the Meta app can access browser data in a way that bypasses the security measures I mentioned here, then that should be regarded as a serious security vulnerability in the browser.
I don't use the app and I don't intend to install it to verify your claim. Assuming the description is accurate I regard that as a kind of phishing. Users who fall for it think they are typing their password into some website, but in reality they are typing their password into an app controlled by Meta.
Linux Spain

@noellemitchell

Some details on how it is done may be, but the overall information that FB and TT spies on people beyond their own apps and platforms is not exactly news.

gz

@noellemitchell
It really is better not to use the FB spying system as there are other ways to keep in touch with people.

Magenta Rocks

@noellemitchell

The simple and only solution? Delete facebook.

Abe the Honest

@noellemitchell facebook lite allowed you to bypass this as it did not had the integrated browser, but they removed both facebook lite and messenger lite back in august.

Florida atheist:

@noellemitchell

IMHO Meta Inc. - parent company of who knows what.. is at war w. Pvtin. * banned from RU. go chew on that. . I guess.

Piousunyn

@noellemitchell At one time I used Facebook and Twitter, now I have to ask did I quit Meta and X, becasue I knew their name change would suck?

Go Up