Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
Anyone have any links/sources?
EDIT:
Found the source post: https://mastodon.social/@protonmail/111699323585240444
and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
This paragraph from the article links to this article in question:
https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690
This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
They might not sue to avoid bringing more attention to it.
It might be better to archive.is and archive.org it.
I dug up this mastodon post and they cited this:
https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.
I guess they mean all the tech companies try to block each other so that they collect all the data themselves…
I’m surprised they didn’t do more research than just a Gizmodo post that references a Gizmodo post that references original research.
It’s like a game of telephone. One person heard something slightly different than the first person did until the message is garbled.
The original research never said Meta applications were doing keylogging. They really should delete or amend this post before they land in legal hot water. Because that could be libelous defamation and Meta has deep pockets.
I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.
Yes, JavaScript injection tests come back with extra code when opened from within instagram.
Some people in this thread are claiming the article doesn’t mention Facebook.
I actually read the article. You’re welcome.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
Edit: The article Proton got their info from.
Kraus makes very clear that while Meta apps are also injecting javascript, that he only has evidence of TikTok doing “keylogging” type activities. Both Gizmodo and ProtonMail are wrong in that regard.
It’s like nobody has real media literacy anymore, even media organizations.
But I want to outrage at sensationalized headlines and tweets :( How can I do that if I actually read the articles?
Simple solution: stop using meta products
Not so simple solution, because other people are using meta products and using them on you without telling you about it.
Use firefox, and install the Facebook container extension so that meta cannot read your data on the internet.
Although i still disagree with using facebook at all, and sorta unsure what you mean by “because other people are using meta products and using them on you without telling you about it” (websites using meta based SaaS products maybe), if the facebook container extension is anything like the aws container extension, I bet it’s a pretty good recommendation. Firefox ALWAYS the best recommendation
You’d hope the container would do the trick
So they’re just actually pushing malware now?
Always has been.
That’s why I set up 2FA on whatever account I can grab my hand on. It sucks that I cannot do it on every single one I have (e.g. some popular names like Spotify, last.fm, Bandcamp or Feedly do not support it, for example), but for every account that I do have, 2FA has become critical lately.