Facebook is one bad Chrome extension away from another Cambridge Analytica scandal Multiple Chrome browser extensions make use of a session token for Meta's Facebook that grants access to signed-in users' social network data in a way that violates the company's policies and leaves users open to potential privacy violations. Security researcher Zach Edwards last week noted that Brave had blocked a Chrome …
I thought it was a joke & nearly choked on my drink as the laughter bubbled up to my lips, but then realized they were _Serious_ about the job title & can only blink in disbelief.
*Starts handing out pints of MindBleach*
Drink up, it's Thursday & nobody ever gets the hang of those...
---> see icon
It reads a bit like how Orwell explained the government departments in 1984
The Ministry of Love, is responsible for hate
The Ministry of Truth, is responsible for lies
The Ministry of Peace, is responsible for war
The VP of Integrity, is responsible for ... Corruption?
The token, we're told, is not the problem. Rather browser extensions allow users to automate Facebook activities.
and
Even so, abuse of these sorts of tokens looks likely to continue because Meta says they have legitimate use cases...
They are saying: a) not our fault, b) we don't really care and c) we need this. Therefore, we are not going to do anything.
That is exactly as you would expect. The users are of no real interest. Only the user's data is of interest. If that can be abused, ah well, that is a minute side effect. The motto is "we'll do nothing as long as we get more money than it costs".
As part of that deal, Facebook committed to limiting third-party access to user data.
Unless they get paid for it, in which case profit.
On a personal note, I recently posted to FB for the first time in several years. It was a quick note about a Magritte print I had never seen before. I can only guess at the consternation this caused the algorithms Meta employs to track users. If they can make a profit off that, more power to them.
Someone combined various exploits, zero day flaws, and all the other security issues to gain illegal access to FB's data servers, upload a worm that replicated itself to all their active & passive data storeage resources, then all went off in a coordinated attack to destroy every last bit & byte of archive, current, & future data.
Would FB implode like a balloon suddenly developing a black hole inside, or would it explode like the Big Bang?
I'd be willing to provide the popcorn while watching it happen... =-J
*Inserts a giant, 99 point, neon, blinking, scrolling marquis, bold, underlined, & itallicized sarcasm tag*
I think the best way to approach this is not to be deleting data as that would get noticed quite quickly and can probably be restored from replication sites and backups.
The best way is probably for a worm to quietly make minor changes that reduce the value of the data. Find users with more than a hundred friends and add a few random people and unfriend some others. Find people that have 'liked' hundreds of brands and 'unlike' a few of those but replace them with random others. Find people that have lived in more than five places according to their profile and add another some way back. They probably wouldn't notice.
It's all about tainting the data and throwing the algorithms off. Ultimately you want their profiling to become less accurate because the accurate profiling is FB's main source of income.
That's also why I'd never recommend to just delete your FB profile, I'd spend some time tainting the data first. First you change a few letters in your name (FB appears less strict on the "real name policy" nowadays as they are haemorrhaging enough users as it is), perhaps one letter a week. Then slowly, a couple a day, unfriend contacts and unlike brands, films, bands etc. Perhaps replace them with other random ones. After a month or so you "move" to Ecuador/Laos/Burundi and start connecting with local people there, like local bands, follow local news, etc. Then change your language settings to the local language of your new "home". Let that simmer for a bit, accept suggestions for local bands or news sites to follow, unfriend a couple more people from your old country. Two months in and your profile and what FB "knows" about you has changed significantly. Only then close your account.
It's not quite the same argument as claiming "View Source" makes you a hacker, but it comes close.
If the browser environment makes it possible for legitimately- and illegitimately-acquired access tokens to be combined to achieve unauthorised access, then you shouldn't be issuing tokens that can easily be acquired illegitimately.
As for "legitimate use cases", I find myself struggling to imagine what they might be for Facebook as a whole. I suppose it keeps Nick Clegg out of government but it would be difficult to justify on that basis alone.
"Multiple Chrome browser extensions make use of a session token for Meta's Facebook that grants access to signed-in users' social network data in a way that violates the company's policies and leaves users open to potential privacy violations."
I thought privacy was violated by using Facebook.
and I refuse to use their new name just like I do with Google.
In the words of an old song,
They Want It All by The Byrds
They want it all, they want it now
They want to get it and they don't care how
They want it all, they want it now
http://www.traditionalmusic.co.uk/byrds/they-want-it-all.htm
How prophetic they were.
Suck on this Zuck -> see icon
You can put a lock on your door. Or you can not bother and report anybody who harmlessly wanders through your property to the police. But don't then whine that the police have better things to do than play whack-a-mole with everyone who decides to visit your property.
Chrome is ground up to violate ones privacy and rape as much data as it can for the benefit of Google. Is it any surprise that all of a sudden the whole swiss cheese leaks all over the place ? Think about it. Chrome is engineered ground up not to respect privacy but rake data to it's servers. So using chrome is kind of silly if you want your privacy. In fact , i don't trust a single browser to respect my data and my privacy on the internet. Everything downwind is to be expected and if it blows up in the user's faces and in the company's servers , put the finger where it hurts : Google. If anyone's responsible for the mess it's them. They allow by design the rape of as much data as can be done. Damn the users.
Yet there is a big groundswell in the use of Chrome in the WordPress development community. Several of them who are in my local WP user group seems oblivious to the dangers of it. Several of the tools that you use to measure WP site performance only play ball when run from Chrome. Some are even hosted by Google.
My firewall refuses to let Chrome phone home. That is the least I can do in the fight against Google Spying on its users.
The same goes for Facebook. All blocked at my firewall. Anyone who says, follow me on FB gets told politely that I won't because I don't use it and never will.
Yes, my resistance is probably futile and that some gubbermint will pass a law making it mandatory for everyone to be on their social media platform.... such as 'Truth Social' perhaps?
Two hyenas fighting over the same kill. Unfortunately, we're the kill, whether we use farcebook or gooooooogle or we don't. Legislation is long overdue, but unfortunately the politicians are too careful of their future board appointments to act for the common good. Indeed the recent UK proposals on revised privacy legislation do nothing other than weaken its protections.
"Meta's spokesperson said [..] If the token has not been transmitted to the extension developer's server, as appears to be the case with the L.O.C. extension, then uninstalling the extension will also cause the token to expire"
So what? LOC isn't the main issue (and probably isn't malicious). The problem is what it's exposed, and another, more malicious plugin *could* easily do just that.
This post has been deleted by its author
The invisible links to FB in the email HTML are probably responsible for that.
There are two solutions
1) Don't click on the link then you won't know that you are already logged in
2) start blocking all access to FB. Delete your account and tell all your email contacts that you are not on FB for security reasons and that they should stop sending you FB links.
Then get on with life and erase FB from your consciousness.
I blocked FB, WhatsApp, Twitter etc years ago. Simply doing that removes a huge great amount of stress in your life. Deciding that you simply don't care who says what about someone else is the first step in getting yourself off the drug that is Social media.
“ Though Facebook vowed to put in place measures to prevent another Cambridge Analytica fiasco, the Creators Studio access tokens in the hands of a malicious and widely installed Chrome extension could lead to a repeat of history.”
Or… “nuts! another lost opportunity thanks to some paranoid meta developer” who blew the cover story.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
