Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
This paragraph from the article links to this article in question:
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
I’m surprised they didn’t do more research than just a Gizmodo post that references a Gizmodo post that references original research.
It’s like a game of telephone. One person heard something slightly different than the first person did until the message is garbled.
The original research never said Meta applications were doing keylogging. They really should delete or amend this post before they land in legal hot water. Because that could be libelous defamation and Meta has deep pockets.
Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
Anyone have any links/sources?
EDIT:
Found the source post: https://mastodon.social/@protonmail/111699323585240444
and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
This paragraph from the article links to this article in question:
https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690
This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:
https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
They might not sue to avoid bringing more attention to it.
It might be better to archive.is and archive.org it.
I dug up this mastodon post and they cited this:
https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.
I guess they mean all the tech companies try to block each other so that they collect all the data themselves…
I’m surprised they didn’t do more research than just a Gizmodo post that references a Gizmodo post that references original research.
It’s like a game of telephone. One person heard something slightly different than the first person did until the message is garbled.
The original research never said Meta applications were doing keylogging. They really should delete or amend this post before they land in legal hot water. Because that could be libelous defamation and Meta has deep pockets.
I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.
Yes, JavaScript injection tests come back with extra code when opened from within instagram.