Although completely believable and in-line knowing Meta/Facebook’s history, is there any evidence to support this claim? I’m sure it’s, unfortunately, just as easily deployed to specific targets so it may be hard to replicate, but this is pretty huge.
Anyone have any links/sources?
EDIT:
Found the source post: https://mastodon.social/@protonmail/111699323585240444
and the article: https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
TL;DR: ProtonMail might want to delete this before they get sued by Meta for defamation, because the original research does not say that about Meta, it says it about TikTok.
–
I found the same sources, but if you’ll notice, the article that ProtonMail linked to actually isn’t about that. It’s about a different and new Facebook thing that has iffy privacy settings as well.
It links to another Gizmodo article about it, buried deep in ONE paragraph.
The problem? That article is about TikTok and the things detailed about the javascript injected that’s keylogging is all related to TikTok.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
This paragraph from the article links to this article in question:
https://gizmodo.com/tiktok-keylogging-privacy-meta-1849433690
This article references Meta a few times but is mostly about TikTok. Then THAT article links to the original blog post:
He has info on TikTok and Instagram, and while Instagram is injecting javascript into an internal browser instead of the default system browser, it is not noted as capturing text including passwords.
Capturing text and passwords is only ascribed by the security research to TikTok and TikTok alone. Meta companies are using similar Js injection tactics, but they, according to the original research, do not include keylogging.
That lines up with everything I’ve read about TikTok being the worst of the spyware social media apps. Unfortunately most online discussion about that subject gets filled with “Whatabout America spying?” posts trying to normalize the acceptance of everybody doing it. The discussions should be about how TikTok is the worst AND Facebook is close on their tails for the race of spying. All of the spyware social media apps are a bad thing.
I’m always thinking about Chinese intellegency agency thinking 10 years ago: “How can we create a spyware that everyone will use so we can collect all the data we want without too much troubles?”. Then they looked at Facebook doing the same for profit and they understood that all they have to do is to create a well designed social media app and make it so trendy that people will be diverted enough to not think about the spying issue. And then they fucking nailed it, it worked so well, I’m impressed. The average people do happily through away their private life for a shot of well crafted trendy entertainment everyday. All the revelations about spying didn’t stop the growth one bit.
Whatabout America spying?
nobody’s trying to normalize that. Just calling out the blatant hypocrisy. These social media companies started in US long ago and it has more data than you can possibly imagine, People suddenly mad when a foreign company starts doing something nefarious is on brand for people who want to point fingers at everyone else but themselves.
Facebook started when https was very rare, browsers sent login authentication in plain text, internet explorer was still popular and they probably exploited way more vulnerabilities that Tiktok ever did. Facebook, Google, Twitter tracked users through share buttons on websites. Everyone installed multiple Internet explorer addons with nefarious permissions, malicious code without a single thought. Their owners are billionaires now, exploiting, tracking and selling your data to whoever pays best. It was all common knowledge.
Where were these concerns for a decade before tiktok even was a thought. If social media companies were held responsible for privacy of the users, when Facebook, twitter were gaining hold, Tiktok wouldn’t even be able to follow on their footsteps.
I don’t use Facebook anymore and never have used tiktok, but fuck all concern trolling once someone other takes your cake. You reap what you sow.
Stay mad tho
You make a good point worth considering. For all non-USians/non-Chinese out there, all those social media giants are foreign corporations belonging to foreign powers.
The spying part of it is bad for the spying, not for who’s doing it.
Removed by mod
What the fuck are you talking about “Stay mad tho” ? It sounds like you agreed with what I said mostly. This shit is all bad, and that was my point.
They might not sue to avoid bringing more attention to it.
Removed by mod
I dug up this mastodon post and they cited this:
https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018
I’m quite surprised Proton would use Gizmodo as a source. A quote from their articles first paragraph: “[as] Apple and Google beef up privacy”.
I guess they mean all the tech companies try to block each other so that they collect all the data themselves…
deleted by creator
I agree. Multiple apps bind to the keypress event to inject functionality. Binding to such event does not automatically imply nefarious intent.
Yes, JavaScript injection tests come back with extra code when opened from within instagram.
Some people in this thread are claiming the article doesn’t mention Facebook.
I actually read the article. You’re welcome.
When you click on a link in the Facebook or Instagram apps, the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing.
Edit: The article Proton got their info from.
Kraus makes very clear that while Meta apps are also injecting javascript, that he only has evidence of TikTok doing “keylogging” type activities. Both Gizmodo and ProtonMail are wrong in that regard.
It’s like nobody has real media literacy anymore, even media organizations.
But I want to outrage at sensationalized headlines and tweets :( How can I do that if I actually read the articles?
It’s weird how ardently you defend Facebook. This post and one earlier where you insinuated Proton Mail is liable for libel is something a Meta employee would say to dissuade this kind of thinking. But the fact is the researcher, Kraus, confirmed that the logging script is present. Meta maliciously spies.
I just went looking for what you were talking about cause I was curious to know more, and from what I can tell, saying “Kraus confirmed the logging script is present” is a bit misleading- it implies that the logging script that logs keystrokes is present. Its possible I missed something but from what I could find, it looks like what he confirmed is that meta tracks interaction with the elements of pages, like selecting a text box, tapping/clicking on buttons, etc., but I didn’t see anything about keylogging. Thats still super creepy, and is obviously bad, but it doesn’t seem like the person you’re responding to is wrong to say that the findings of the security researcher have been misinterpreted here. And you’re not wrong that they’re absolutely maliciously spying (of course they are, maliciously spying, contributing to genocide in developing countries, and negatively manipulating peoples mental health for profit are meta’s bread and butter! 😀) but I do think it pays to be accurate when we criticize things, and to not mislead people.
But if we wanna criticize meta, may I interest you in: facilitating a horrifying genocide resulting in massive loss of life in Myanmar?
https://erinkissane.com/meta-in-myanmar-full-series
Edit: clarified a point, also added the link cause I needed to go find it
While they log a lot of things like all clicks made on the site and what elements you focus on, there was no keylogger script found in metas apps as of now.
Don’t get me wrong, that’s still a shitty thing to do, but it’s nowhere on the same level as a keylogger that even reads your passwords. If Meta wants to this can easily end in a defamation case against proton.
Don’t let your bias against Meta overcome critical thinking skills.
As others have mentioned this is just incorrect. I’m no fan of Meta but you are a moron if you think this is happening.
Given this is the top comment it should be pointed out that while Proton was incorrect about this being Meta there is research out about TikTok doing this very thing.
The way you’ve worded your comment makes it seem like this either can’t happen or isn’t happening and that simply isn’t the case.
Removed by mod
All this to say you’re fine with TikTok grabbing your passwords? Because you don’t want to be xenophobic? Weird line but you do you.
Removed by mod
Tiktok is Chinese spyware.
Facebook is American spyware.
Stop using them!
End of story.
Removed by mod
I’ll bet I’m older than you.
Its pretty obvious isn’t it?
This has nothing to do with being logged into TikTok. This is a link within the TikTok app keylogging credentials as they are entered.
And for the record, “logged in” isn’t the same as “identified”. Browser and device fingerprinting is very much a thing, and is quite scary in how well it works.
If you don’t think TikTok has CDNs (or that CDNs are used primarily for tracking?), it makes it clear you don’t actually know what you’re talking about.
It’s clear you either don’t know, or are being disingenuous about, the dangers of a bad actor in current technology. Especially when most of your argument is “you don’t even need to log in, it’s just so safe!”
Removed by mod
“You don’t have to use the app, so it’s not bad that they can key log your info when using it.”
Come the fuck on, there’s no way you’re a real person.
Removed by mod
No, they’re right. They dropped all the bullshit charges the instant they were given control over DikDok’s servers. It was little more than a power play and because americans are so fucking racist that they don’t even realize how racist they are, they all bought it hook/line/sinker.
Removed by mod
Lol WTF!
Removed by mod
deleted by creator
Agreed, and who ever that still uses Facebook in 2024 really needs to get out and meet real ppl and get a life.
Fuck 500 virtual friends. I’ll trade that in a second for 1 real true friend IRL.
but then, you’d have to.
Maybe not keylogging but it’s pretty fucking bad still, it tracks basically everything else about how you navigate when using the integrated browser.
Holy shit, that should be illegal. I say should because I know there’s no way that it currently is.
Microsoft do the same with Windows and as far as I know, they haven’t got fined for it.
Do you have a source for that or you just making it up?
Its supposedly to learn typing habits. Heres how you turn it off.
It’s pretty hard to prove what anyone is doing with closed source code.
deleted by creator
Could be batched, could be encrypted, could be bundled with other data etc etc
Decompilers: Are we a joke to you?
I’d still agree with his statement. Subset of people who could even make the determination in available source code is small compared to total users, now reduce that set to people competent in reverse engineering. “pretty hard” is not a bad description imo
Multiple. I understand that many of you won’t believe or just don’t know about Microsoft’s spying, but that’s the reality. It can happen that I can have wrong with certain things (I’m only human, remember that), but Microsoft spying on you is the fact of why I now using Linux as my main operating system since 2015/2016.
- Disable Keylogger in Windows 11 to Stop Microsoft from Collecting Your Data
- Where does Windows 10 save Keyboard input?
- Windows 11 Keylogger: How to Detect & Disable it
- From a ex-employee at Microsoft: You won’t believe what happens when I turn off Windows 10 telemetry! - @Barnacules
- Microsoft’s own privacy policy page (hit “Learn more” under “Personal data we collect” and scroll down to the bullet list for “Interactions”)
There is a lot more proof out there, but I can’t think straight to be able to find them. So if you want to dig some more, by all means, do it.
To this day I don’t know what or why Google Chrome was using up all the processing power on my laptop while it was installed. As soon as I deleted Chrome, my 12gb laptop ran fine again.
It probably wasn’t keylogging but it was probably not updating itself 24/7 either.
It probably wasn’t keylogging but it was probably not updating itself 24/7 either.
You’d be surprised at how shit Chrome’s autoupdate is.
There’s also no way that it’s happening. You can’t key log with JavaScript. There’s something called cross domain policies or xDomainPolicy which prevent certain types of code being run on one website by a different website.
Cross domain policies are enforced by the browser. If you’re using a third party app, guess what you’re using as a browser.
Want an easy example of this? Userscrips on Firefox. Install GreaseMonkey, and you can run whatever the hell you want on any webpage. Keylogging, mouse movements, clicks and navigations. Not hard, and impossible to really stop from the site itself, because no matter what you tell the browser to do, you essentially have to just hope the browser follows through.
If you’re using a third party app, guess what you’re using as a browser.
Yes if you are inside Facebook and while inside Facebook click a link to go somewhere else you are still in Facebook and they will keylog everything.
This is presented as if Facebook/Toktok can keylog everything.
“Don’t use in-app web browsers”
Somebody else is already pointed out that it’s already been debunked so no it wasn’t happening
And somebody else pointed out that that was debunked so yes it’s happening
Edit: the point I’m hopefully making is that you’re just kinda saying stuff and not even bothering to post a source.
I was responding to your claim of “not happening, impossible” with proof of it being possible, and actually fairly easy to implement.
But it’s not another website, it would be the web browser within the Facebook app, which could absolutely do that.
Except this is already being debunked see above
Except that this this has been debunked see below
Edit: the point I’m hopefully making is that you’re just kinda saying stuff and not even bothering to post a source.
My main goal on year 2018 was delete facebook. Unfortunately im still using whatsapp just because everyone uses it and i have no other place to talk with my friends and family.
Signal, bro.
To do what exactly? Talk to myself?
I told my friends / family if they wanted to reach me, I’d be on Signal/Molly. Turns out it isn’t that hard to have them download a new app and use it.
Same here, all the people I care about did. Those I don’t really care about use sms to contact me if they really have to. Of course I miss out on some groups on Whatsapp, but honestly I’m glad. It’s not really useful to be in a lot of Whatsapp groups, it mostly creates a lot of uninteresting messages for you to read.
Not popular enough. With Whatsapp you get to talk to pretty much everyone, from businesses to second hand sellers to your weird aunt that lives in the middle of the woods.
None of those app is popular enough anyway. You still need sms + Whatsapp + a couple of others. So adding another one is not so much of a burden. Besides, it works just like Whatsapp from a user standpoint, and no password required.
Where I live it sure as fucking hell isn’t the case. Nobody uses SMS anymore, and effectively everyone uses Whatsapp.
No one is important enough to justify using WhatsApp
Not everyone can live as a hermit to fulfil their Zucc-hate boner. Some of us have lives.
Then install signal and tell them you’re on there. Clearly you’re important enough for people to use signal, since you have a life
Riiight, because the corner shop will start using signal just for you…
Removed by mod
I think (do correct if wrong!) the EU has approved an interoperability law for big tech companies? So it should be just a matter of time until you can switch messaging app and still be able to communicate with people on wa and big messaging apps
Ofc if all your friends all use whatsapp zuck will still be able to read all your messages and get your phone number via your contacts… so it’s only a partial solution. Still better than nothing tho.
That link you added is being very very negative about it and even after reading it I really don’t understand why…
SMS is still a thing. You need to put your foot down to make it happen.
Edit: May the Monty Python foot squish all downvoters into elderberry jam!
Nobody uses SMS in my country.
It still works though doesn’t it?
deleted by creator
But it comes with significant social drawbacks. I’m not sure if that’s really a hill worth dying on.
Is it worth having your credentials sold or stolen cuz people might think less of how they receive the same message in text form from you?
Social drawback? WTF? People already have the app necessary on their phone and they must get SMS for other things, no?
Not every country has unlimited talk and text as a widely as others. I know my husband’s family uses what’s app because they can always hop on their WiFi or a neighbors and talk to family, but they can’t always afford to top up their minutes. The social drawback isn’t that they’ll look at you funny, it’s that they might literally not be able to communicate with you.
Add in that some of those families also play hot potato with phones, swapping who has what phone almost weekly, something that follows the login and not the phone starts to make sense. I know there are better alternatives to what’s app and don’t defend it, but getting them as a whole to change apps so they can all communicate would mean a lot of work and energy I can say they don’t have these days.
Probably referring to group chats and sharing media.
My point is you need to put your foot down and say “I won’t use WhatsApp. If you want that functionality with me, we can use Signal, but otherwise SMS.”
WhatsApp really doesn’t have any features that aren’t also in Signal, but Signal isn’t owned by Facebook and was never a vector for zero-click access to your device (NSO’s Pegasus toolkit used WhatsApp calls to get at Android phones, this was involved with Saudi Arabia’s execution of Jamal Khashoggi). WhatsApp is simply not trustworthy, and a massive security risk.
Removed by mod
SMS is unencrypted
You say that as if WhatsApp is actually secure, as if Facebook haven’t filled it with backdoors. As if it wasn’t the vector for zero click access to Android phones in Pegasus. SMS could not do that (although iMessages did).
Holy shit, if you’re being targeted by nation states or other seriously motivated actors with Pegasus level spyware then they will get you. For everyone else, encrypted platforms like Signal or, yes, WhatsApp, are more secure than fucking SMS.
Simple solution: stop using meta products
Not so simple solution, because other people are using meta products and using them on you without telling you about it.
Use firefox, and install the Facebook container extension so that meta cannot read your data on the internet.
Although i still disagree with using facebook at all, and sorta unsure what you mean by “because other people are using meta products and using them on you without telling you about it” (websites using meta based SaaS products maybe), if the facebook container extension is anything like the aws container extension, I bet it’s a pretty good recommendation. Firefox ALWAYS the best recommendation
You’d hope the container would do the trick
Tell that to 99% of Europe where every idiot is using whatsap and the few who don’t are shunned. FML
Removed by mod
One of the greatest evils of capitalism is locking access to society behind a paywall.
Removed by mod
It’s not (a majority of) he users’ fault as WhatsApp was its own company for a long time until they sold to Facebook. I was using WhatsApp long before it became a FB company. Everyone just continued to use it as FB was mostly hands off until they started imposing changes a few years later. But like every other messaging app, once someone is using it forever, it’s hard to move away from it because all their friends and family are using it and have no desire to switch to something else.
Incorrect. In certain European countries it’s widely used, in others not so much. In the ones where it’s more widespread, I still think 99% is very much exaggerating. Maybe you didn’t mean it literally?
Facebook keylogs anything, even outside of FB in all pages with FB APIs (any page with an FB share button), if you don’t block it with an half a dozen extensions and scripts. For Example with
If you’re still using the Facebook app in 2024 you deserve everything you get.
dont blame the victim.
Are they still a victim if they’ve been yelled at for close to a decade that these kinds of things are the standard for Facebook/Meta? I’ve tried telling friends and family so damn often but they just don’t care.
It’s like giving someone you pass on the street your ID, walking away and thinking “man, I can’t believe that guy has my ID”. I’m with you if they really don’t know, I’m sure many don’t. But so many know fully well and just don’t care.
If you ask me both are to blame. Meta is only in a position where they get away with this stuff because people are practically encouraging it.
of course there is nuance. you are correct that both are to blame, but many people need to use facebook for family, friends, or work. it sucks that we as a society are so reliant on these companies, but thats how it is.
just saying ‘dont use facebook’ is useless. we can advocate for changes at the same time as encouraging people to alternatives. its the same argument with windows/linux.
I mean, it’s not that hard to just don’t. If anyone asks, just say I don’t use Facebook. And if they bitch, then so be it.
If they share you Facebook links, click it if you must, but don’t log in. If you can’t watch the video because you don’t log in, then too bad.
If it’s for work, then create a work account if absolutely necessary, but don’t use it for your personal shit.
It’s really that easy.
Also, lots of sites embed the Meta Pixel. So to avoid it, you have to go into your cookie settings and block all of Meta’s domains and hope you don’t miss one. The internet was supposed to be a platform for all, by all…yet corporations have found a way to ruin the entire place.
Are you a victim when you walk into the BDSM club, sign the waivers, call safe words a conspiracy, and cry rape afterwards?
Edit: How about if you go back in after that?
There is information available to make an informed choice, but they don’t. Is there really no guilt?
This is my shocked Pikachu face. Jokes on them, I haven’t used Facebook since I deleted it with prejudice in 2007.
‘foresight’ is a gift provided to some folks who conceive things a little outside the norm, i suppose.
The source article from a security researcher Felix Krause:
I use all social media in browser to give them less access to my device. I clear cache / cookies after use every time. Hopefully that gives them far less personal data.
If you’re an android user you might be very interested in the “Hermit” browser
https://play.google.com/store/apps/details?id=com.chimbori.hermitcrab
When I was using Facebook I used one of the third party apps - they’re basically a web browser that only browses Facebook, thereby isolating Facebook from any other internet traffic.
So they’re just actually pushing malware now?
Always has been.
The Facebook mobile webapp works just fine nowadays. Pretty sure it’s even possible to enable notifications in most web browsers. I still don’t get why people are willfully installing apps instead of just pinning web browser bookmarks.
No educational programs for smart phones?
That’s why I set up 2FA on whatever account I can grab my hand on. It sucks that I cannot do it on every single one I have (e.g. some popular names like Spotify, last.fm, Bandcamp or Feedly do not support it, for example), but for every account that I do have, 2FA has become critical lately.
Removed by mod
I’m curious, what does that have to do with GrapheneOS?
Removed by mod
You know, instance admins can find out who is downvoting and upvoting by checking the database. It doesn’t have to be a mystery if you stand up your own instance. You don’t even have to use it primarily, just get it federating your comments.
Removed by mod
netseer-ipaddr-assoc.xy.fbcdn.net looks to be tracking.
Removed by mod
This is about the web browser within Meta apps, uBlock on another browser won’t help.
Removed by mod
This is especially nefarious paired with their other practices. Many phones stock ROMs also ship with preinstalled bloatware including TikTok and Facebook crap.
I had to use Android developer tools (ADB powershell commands) to remove multiple facebook and tiktok packages from a friends new phone because they can’t be removed any other way. There was no “user visible” FB app but several packages were present and makes me think FB crap may run as “background” by default on several vendors stock ROMs. Irritating and deceiving to the consumer.
I also blacklist all their domains using PiHole so nothing on my home network can covertly back channel any data to their mothership. (Currently using Developer Dan’s lists from GitHub - the Facebook list alone has almost 30,000 hosts on it)
These big tech surveillance bros can get clapped.
Laughs in GrapheneOS
Yeah that’s what I daily drive. It is nice knowing there isn’t a bunch of bundled spyware on your device.