Some people in this thread are claiming the article doesn’t mention Facebook.
I actually read the article. You’re welcome.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
Kraus makes very clear that while Meta apps are also injecting javascript, that he only has evidence of TikTok doing “keylogging” type activities. Both Gizmodo and ProtonMail are wrong in that regard.
It’s like nobody has real media literacy anymore, even media organizations.
It’s weird how ardently you defend Facebook. This post and one earlier where you insinuated Proton Mail is liable for libel is something a Meta employee would say to dissuade this kind of thinking. But the fact is the researcher, Kraus, confirmed that the logging script is present. Meta maliciously spies.
While they log a lot of things like all clicks made on the site and what elements you focus on, there was no keylogger script found in metas apps as of now.
Don’t get me wrong, that’s still a shitty thing to do, but it’s nowhere on the same level as a keylogger that even reads your passwords. If Meta wants to this can easily end in a defamation case against proton.
I just went looking for what you were talking about cause I was curious to know more, and from what I can tell, saying “Kraus confirmed the logging script is present” is a bit misleading- it implies that the logging script that logs keystrokes is present. Its possible I missed something but from what I could find, it looks like what he confirmed is that meta tracks interaction with the elements of pages, like selecting a text box, tapping/clicking on buttons, etc., but I didn’t see anything about keylogging. Thats still super creepy, and is obviously bad, but it doesn’t seem like the person you’re responding to is wrong to say that the findings of the security researcher have been misinterpreted here. And you’re not wrong that they’re absolutely maliciously spying (of course they are, maliciously spying, contributing to genocide in developing countries, and negatively manipulating peoples mental health for profit are meta’s bread and butter! 😀) but I do think it pays to be accurate when we criticize things, and to not mislead people.
But if we wanna criticize meta, may I interest you in: facilitating a horrifying genocide resulting in massive loss of life in Myanmar?
That's why I set up 2FA on whatever account I can grab my hand on. It sucks that I cannot do it on every single one I have (e.g. some popular names like Spotify, last.fm, Bandcamp or Feedly do not support it, for example), but for every account that I do have, 2FA has become critical lately.
Facebook keylogs anything, even outside of FB in all pages with FB APIs (any page with an FB share button), if you don’t block it with an half a dozen extensions and scripts. For Example with
The Facebook mobile webapp works just fine nowadays. Pretty sure it’s even possible to enable notifications in most web browsers. I still don’t get why people are willfully installing apps instead of just pinning web browser bookmarks.
You’re a moron if you think only Meta is doing this. Teams on Windows is a keystroke logger and has been since launch. It records even mouse movements by microseconds in a plain txt file.
If you are using a mobile app, it’s a pretty good bet it’s logging every input.
Given this is the top comment it should be pointed out that while Proton was incorrect about this being Meta there is research out about TikTok doing this very thing.
The way you’ve worded your comment makes it seem like this either can’t happen or isn’t happening and that simply isn’t the case.
I personally do not think I should care about the xenophobic witch hunting of Chinese companies like TikTok and Huawei, even though US feds have never presented any evidence against Huawei, and we know how fair the Congressional hearings were for TikTok.
While TikTok collects basic data, it never forces you to login other than for commenting (for obvious reasons) and similarly personal things, unlike Instagram. If you open an IG link in web browser, you cannot replay the video second time, and if you scroll the account’s posted images and videos, you will not be able to flick through a second time. And it is fair enough to see Western governments’ beloved support for the genocide of Palestinians (unlike the fake Uyghur narrative) and the ousting of Muslims from top positions across all of Western media, there exist open and transparent political and critical reasons to avoid Western media over non-Western media.
TikTok’s data collection is transparently compared to other social media outlets here (not going to trust fancy tech outlets or CNN/Fox). Tiktok is not even in the ballpark, simply by not needing an account or app to use it.
No, they’re right. They dropped all the bullshit charges the instant they were given control over DikDok’s servers. It was little more than a power play and because americans are so fucking racist that they don’t even realize how racist they are, they all bought it hook/line/sinker.
Can you tell me how TikTok is grabbing your passwords without an account, and outside of their app or website? I need an account for Facebook/Instagram, not TikTok.
Do you understand the difference between needing an account versus not needing one for a service? It is wider than the Grand Canyon. That is why I provided those links, and that is why it is critical to note the lack of personal identifier data grabbing with not needing an account. With one, you give phone number, contact book, IMEI, location data, email, some name or pseudonym et al. With the other, none.
Edit: since you have poked the bear, I will growl.
Facebook/Instagram data collection on a user is more than a TikTok user, even if there is an account on both services. On top of this, TikTok does not have tracking pixels, ad networks, CDN and other methods of tracking on other websites, unlike Facebook ecosystem. This allows Facebook ecosystem to correlate, interlink and form data clusters on users and IP addresses. Remember how Facebook ecosystem disallows accountless access? Or how they C&D’d Barinsta developer Austin Huang, citing they dislike anonymous access to Instagram?
This is precisely what makes TikTok objectively so harmless without an account, and even with an account, relatively far less harmful. It does not mean TikTok does not collect data, but the difference is too wide. These are the facts.
And your petty downvote makes it seem like this is too much to swallow.
Old people are also immature, and age is not a determinant of maturity and intelligence. One who deals with things by putting them in boxes in their head, is never a person worthy of listening to.
Mhm, using teenager tactics like gaslighting? You know that is not a very nice netiquette, right? Thought Reddit and 4chan behaviours would be a thing of the past on Lemmy.
This has nothing to do with being logged into TikTok. This is a link within the TikTok app keylogging credentials as they are entered.
And for the record, “logged in” isn’t the same as “identified”. Browser and device fingerprinting is very much a thing, and is quite scary in how well it works.
If you don’t think TikTok has CDNs (or that CDNs are used primarily for tracking?), it makes it clear you don’t actually know what you’re talking about.
It’s clear you either don’t know, or are being disingenuous about, the dangers of a bad actor in current technology. Especially when most of your argument is “you don’t even need to log in, it’s just so safe!”
You use the word “disingenuous”, while not realising your own argument is just that, fully ignoring what I said about TikTok not needing its own app to browse, besides not requiring an account either.
Fingerprinting of browser is far, FAR, FAR more vague than someone installing an app, giving all invasive permissions, giving out phone number, email, name, IMEI, location data and a bunch of other identifiers.
You are dying on the wrong hill, even if you win this little popularity voting contest, because you are objectively incorrect.
A) one service needs you to use the app and keylogs you, and you cannot easily avoid it even on other websites
B) one service that does not need you to use the app, only keylogs on the app, and does not employ this crap via other websites
in the above cases, A and B scenarios are same. No, they are not. Yes, keylogging is bad. But, one of them allows you to avoid it. And you are fucked with the service in scenario A if you must need it.
You’re still not understanding what is being talked about.
Here is the situation being talked about:
You open TikTok on your phone
There is a link to a site within the app
You open the site, it opens inside the TikTok app
You put information into the site
TikTok now has that information
At no point is anyone claiming it’s unavoidable, or spread on countless websites. It’s the app that’s the issue, it’s the app that doing the keylogging.
If I am opening TikTok in a browser, I do not have much to worry about. It can keylog what I search for or comment in TikTok, nothing else. And this is in-app, NOT if Tiktok is used in-browser. On the other hand, I have to block off Facebook domains on system HOSTS level to keep myself safe from malware.
You are wanting to put TikTok in an isolated perspective, while I am pitting it against Facebook, since it is about JS/in-app keylogging tactics, and I am discussing the scope of both services.
To this day I don’t know what or why Google Chrome was using up all the processing power on my laptop while it was installed. As soon as I deleted Chrome, my 12gb laptop ran fine again.
It probably wasn’t keylogging but it was probably not updating itself 24/7 either.
I’d still agree with his statement. Subset of people who could even make the determination in available source code is small compared to total users, now reduce that set to people competent in reverse engineering. “pretty hard” is not a bad description imo
Multiple. I understand that many of you won’t believe or just don’t know about Microsoft’s spying, but that’s the reality. It can happen that I can have wrong with certain things (I’m only human, remember that), but Microsoft spying on you is the fact of why I now using Linux as my main operating system since 2015/2016.
There’s also no way that it’s happening. You can’t key log with JavaScript. There’s something called cross domain policies or xDomainPolicy which prevent certain types of code being run on one website by a different website.
Cross domain policies are enforced by the browser. If you’re using a third party app, guess what you’re using as a browser.
Want an easy example of this? Userscrips on Firefox. Install GreaseMonkey, and you can run whatever the hell you want on any webpage. Keylogging, mouse movements, clicks and navigations. Not hard, and impossible to really stop from the site itself, because no matter what you tell the browser to do, you essentially have to just hope the browser follows through.
My main goal on year 2018 was delete facebook. Unfortunately im still using whatsapp just because everyone uses it and i have no other place to talk with my friends and family.
Not every country has unlimited talk and text as a widely as others. I know my husband’s family uses what’s app because they can always hop on their WiFi or a neighbors and talk to family, but they can’t always afford to top up their minutes. The social drawback isn’t that they’ll look at you funny, it’s that they might literally not be able to communicate with you.
Add in that some of those families also play hot potato with phones, swapping who has what phone almost weekly, something that follows the login and not the phone starts to make sense. I know there are better alternatives to what’s app and don’t defend it, but getting them as a whole to change apps so they can all communicate would mean a lot of work and energy I can say they don’t have these days.
Probably referring to group chats and sharing media.
My point is you need to put your foot down and say “I won’t use WhatsApp. If you want that functionality with me, we can use Signal, but otherwise SMS.”
WhatsApp really doesn’t have any features that aren’t also in Signal, but Signal isn’t owned by Facebook and was never a vector for zero-click access to your device (NSO’s Pegasus toolkit used WhatsApp calls to get at Android phones, this was involved with Saudi Arabia’s execution of Jamal Khashoggi). WhatsApp is simply not trustworthy, and a massive security risk.
You say that as if WhatsApp is actually secure, as if Facebook haven’t filled it with backdoors. As if it wasn’t the vector for zero click access to Android phones in Pegasus. SMS could not do that (although iMessages did).
Holy shit, if you’re being targeted by nation states or other seriously motivated actors with Pegasus level spyware then they will get you. For everyone else, encrypted platforms like Signal or, yes, WhatsApp, are more secure than fucking SMS.
Not popular enough. With Whatsapp you get to talk to pretty much everyone, from businesses to second hand sellers to your weird aunt that lives in the middle of the woods.
None of those app is popular enough anyway. You still need sms + Whatsapp + a couple of others. So adding another one is not so much of a burden. Besides, it works just like Whatsapp from a user standpoint, and no password required.
I told my friends / family if they wanted to reach me, I’d be on Signal/Molly. Turns out it isn’t that hard to have them download a new app and use it.
Same here, all the people I care about did. Those I don’t really care about use sms to contact me if they really have to. Of course I miss out on some groups on Whatsapp, but honestly I’m glad. It’s not really useful to be in a lot of Whatsapp groups, it mostly creates a lot of uninteresting messages for you to read.
I think (do correct if wrong!) the EU has approved an interoperability law for big tech companies? So it should be just a matter of time until you can switch messaging app and still be able to communicate with people on wa and big messaging apps
Ofc if all your friends all use whatsapp zuck will still be able to read all your messages and get your phone number via your contacts… so it’s only a partial solution. Still better than nothing tho.
Also, lots of sites embed the Meta Pixel. So to avoid it, you have to go into your cookie settings and block all of Meta’s domains and hope you don’t miss one. The internet was supposed to be a platform for all, by all…yet corporations have found a way to ruin the entire place.
Are they still a victim if they’ve been yelled at for close to a decade that these kinds of things are the standard for Facebook/Meta? I’ve tried telling friends and family so damn often but they just don’t care.
It’s like giving someone you pass on the street your ID, walking away and thinking “man, I can’t believe that guy has my ID”. I’m with you if they really don’t know, I’m sure many don’t. But so many know fully well and just don’t care.
If you ask me both are to blame. Meta is only in a position where they get away with this stuff because people are practically encouraging it.
of course there is nuance. you are correct that both are to blame, but many people need to use facebook for family, friends, or work. it sucks that we as a society are so reliant on these companies, but thats how it is.
just saying ‘dont use facebook’ is useless. we can advocate for changes at the same time as encouraging people to alternatives. its the same argument with windows/linux.
Just block off *.facebook.com in uBlock Origin rules on Firefox (not possible on Chrome) or in system HOSTS ruleset. Leave out the fbcdn.net domain as it only acts as a CDN for videos and images.
Edit: fuck you GrapheneOS, for almost 2 months now, they are mass downvoting my comments, and doing voting manipulation, also abusing federation
Then the HOSTS ruleset will work. You can use NetGuard or Invizible Pro with your custom HOSTS ruleset on Android, and on laptop/desktop, it is easy no matter if you use Linux, Windows, MacOS, BSD or other OSes. No option for iPhones and iPads.
You know, instance admins can find out who is downvoting and upvoting by checking the database. It doesn’t have to be a mystery if you stand up your own instance. You don’t even have to use it primarily, just get it federating your comments.
Self-hosting is a pain in the ass, and I do not have the time and dedication for it, as someone who has 100 other things in life. I am no longer even a terminally online person, I just come here to check on the state of Lemmy, put on some helpful comments, moderate privacy and technology communities, and go back to real world after dedicating 15-30 minutes a day to Lemmy.
I see, they have started pulling this shit. Probably a good idea to disable third party scripts with uBlock Origin’s medium mode. Atleast that way they will not be able to run their malware JS.
I use hard mode generally, but that sounds like a good reason for people using uBO easy mode to level up.
I use all social media in browser to give them less access to my device. I clear cache / cookies after use every time. Hopefully that gives them far less personal data.
When I was using Facebook I used one of the third party apps - they’re basically a web browser that only browses Facebook, thereby isolating Facebook from any other internet traffic.
This is especially nefarious paired with their other practices. Many phones stock ROMs also ship with preinstalled bloatware including TikTok and Facebook crap.
I had to use Android developer tools (ADB powershell commands) to remove multiple facebook and tiktok packages from a friends new phone because they can’t be removed any other way.
I also blacklist all their domains using PiHole so nothing on my home network can covertly back channel any data to their mothership.
Although i still disagree with using facebook at all, and sorta unsure what you mean by “because other people are using meta products and using them on you without telling you about it” (websites using meta based SaaS products maybe), if the facebook container extension is anything like the aws container extension, I bet it’s a pretty good recommendation. Firefox ALWAYS the best recommendation
Incorrect. In certain European countries it’s widely used, in others not so much. In the ones where it’s more widespread, I still think 99% is very much exaggerating. Maybe you didn’t mean it literally?
Well, WhatsApp is free (as in free beer). The price is contact book and metadata. And even if you did not use WhatsApp, others who use WhatsApp and have your contact already did half the job.
It’s not (a majority of) he users’ fault as WhatsApp was its own company for a long time until they sold to Facebook. I was using WhatsApp long before it became a FB company. Everyone just continued to use it as FB was mostly hands off until they started imposing changes a few years later. But like every other messaging app, once someone is using it forever, it’s hard to move away from it because all their friends and family are using it and have no desire to switch to something else.
Add comment