• ᗪᗩᗰᑎ@lemmy.ml
    link
    fedilink
    arrow-up
    64
    ·
    edit-2
    1 year ago

    Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.

    Anyone have any links/sources?

    EDIT:

    Found the source post: https://mastodon.social/@protonmail/111699323585240444

    and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      51
      arrow-down
      3
      ·
      edit-2
      1 year ago

      TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.

      I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.

      It links to another Gizmodo article about it, buried deep in ONE paragraph.

      The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.

      When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.

      This paragraph from the article links to this article in question:

      https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690

      This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:

      https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

      He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.

      Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.

      • Zeroc00l@sh.itjust.works
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.

        I guess they mean all the tech companies try to block each other so that they collect all the data themselves…

        • Snot Flickerman@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          1 year ago

          I’m surprised they didn’t do more research than just a Gizmodo post that references a Gizmodo post that references original research.

          It’s like a game of telephone. One person heard something slightly different than the first person did until the message is garbled.

          The original research never said Meta applications were doing keylogging. They really should delete or amend this post before they land in legal hot water. Because that could be libelous defamation and Meta has deep pockets.

    • Shirasho@lemmings.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.