Home Business Facebook users sue Meta for bypassing beefy Apple security to spy on...

Facebook users sue Meta for bypassing beefy Apple security to spy on millions

Facebook users sue Meta for bypassing beefy Apple security to spy on millions

After Apple updated its privacy rules in 2021 to: simply allow iOS users to opt out of all tracking by third-party apps, so many people have chosen the Electronic Frontier Foundation reported that Meta lost $10 billion in revenue the following year.

Meta’s business model relies on selling user data to advertisers, and it appears that the owner of Facebook and Instagram has sought new avenues to continue collecting data at scale and recovering from the suddenly lost revenue. Last month, a privacy researcher and former Google engineer, Felix Krause, claimed that only way Meta tried to recover its losses was by having every link a user clicks in the app open in the browser, where Krause reported that Meta could inject some code, change the external websites, and “anything you do on any website”, including password tracking, without the user’s consent.

Now, in the past week, two class action lawsuits [1] [2] of three Facebook and iOS users — directly citing Krause’s investigation — are suing Meta on behalf of all affected iOS users, accusing Meta of hiding privacy risks, circumventing iOS users’ privacy choices, and intercepting, monitor and record all activities on third-party websites viewed in the Facebook or Instagram browser. This includes form inputs and screenshots that give Meta a secret pipeline through the in-app browser to access “personally identifiable information, personal health data, text input, and other sensitive confidential facts” – seemingly without users even knowing that the data collection is taking place. .

The most recent complaint was filed yesterday by Gabriele Willis of California and Kerreisha Davis of Louisiana. An attorney on their legal team at Girard Sharp LLP, Adam Polk, told Ars it was an important matter to prevent Meta from getting away with hiding ongoing privacy breaches. In the complaint, the legal team pointed to past misdeeds by Meta in collecting user information without consent, noting to the court that a Federal Trade Commission investigation resulted in a $5 billion fine for Meta.

“Just using an app doesn’t license the app company to look over your shoulder when you click on a link,” Polk told Ars. “This lawsuit seeks to hold Meta responsible for secretly tracking people’s browsing activity through the in-app tracking, even if they didn’t allow Meta to do so.”

Meta did not immediately respond to Ars’s request for comment. Krause told Ars that he prefers not to comment.

Meta Reportedly Secretly Tracking Data

According to the complaints, which are based on the same facts, Krause’s investigation has “revealed that Meta has injected code into third-party websites, a practice that allows Meta to track users and intercept data that would otherwise not be available.”

To investigate the potential privacy issue, Krause has built a website called inappbrowser.com, where users can “detect if a particular in-app browser is injecting code into third-party websites.” He compared an app like Telegram, which doesn’t inject JavaScript into third-party websites to track user data in the in-app browser, to the Facebook app by tracking what happens in the HTML file when a user clicks on a link.

In the case of tests performed on Facebook and Instagram apps, Krause reported: that the HTML file clearly showed that “Meta uses JavaScript to modify websites and override users’ default privacy settings by directing users to Facebook’s in-app browser instead of their pre-programmed default web browser.”

The complaints note that this tactic of injecting code seemingly used by Meta to “eavesdrop” on users was originally known as a JavaScript injection attack. The lawsuit defines that as cases where “a threat actor injects malicious code directly into the client’s JavaScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”

“Meta is now using this encryption tool to gain an advantage over its competitors and, with regard to iOS users, to maintain its ability to intercept and monitor their communications,” the indictment claims.

According to the complaints, “Meta acknowledged that it tracks Facebook users’ in-app browsing activity” when Krause reported the issue to its bug bounty program. According to the complaints, Meta also confirmed at the time that it uses data collected through in-app browsing for targeted advertising.



Please enter your comment!
Please enter your name here

Exit mobile version