I haven't had Facebook or Instagram apps installed on anything but a burner phone for half a decade and I'm happy about that decision.
Unfortunately I can't get rid of WhatsApp, but I hope it was immune to this.
93po 3 hours ago [-]
if you use a burner phone i would imagine three letter agencies can still figure out it's you really easily through metadata alone. if they can see all the numbers you call and text over years then they can probably piece together who you are pretty easily
thayne 14 hours ago [-]
It seems to me like a non-localhost site making requests to localhost, or a link-local address should require a permission granted by the user.
SchemaLoad 14 hours ago [-]
On MacOS and probably iOS it does. You get a popup that the application wants to access other devices on the network. Unfortunately it's not really clear to the user what this means and if the app is asking it for legitimate reasons or for spyware.
skybrian 11 hours ago [-]
It’s not a meaningful permission. Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
This needs to be higher level: “can website A connect to app B?”
morkalork 13 hours ago [-]
Seriously, what's even the point of having firewalls or NAT if you're going to let any external website just start opening up arbitrary connections to localhost? Is something embedded on the page for foobar.com any more trust worthy than a random IP trying to open a connection?
14 hours ago [-]
chmod775 13 hours ago [-]
Still the same Facebook from 2004, despite the name change.
It's nice they're giving us annual reminders they're still scumbags.
xk_id 11 hours ago [-]
They literally pay engineers to come up with crazy grey hat techniques to monitor people’s online activity. And those scumbags are probably HN users. It’s sinister. I wonder about the wording used by the manager behind it. It probably sounded plain evil and nobody who worked on it cared. It makes you wonder what else those parasites do that we haven’t discovered yet.
dvfjsdhgfv 2 hours ago [-]
I heard many excuses from some of them.
* If I don't do it, someone else will.
* Don't be naive, everybody is doing it.
* Well, one has to support one's family.
* C'mon, we're not actually hurting anyone. Did opening this port actually hurt you?
And so on.
leoh 11 hours ago [-]
Concerning that Android allows this — there are worse folks than meta that would exploit this
isodev 10 hours ago [-]
It seems a happy coincidence the exploit wasn’t that effective on iOS. There are legitimate reasons for all the technologies involved to exist, but thanks to Meta we can’t have nice things.
9283409232 15 hours ago [-]
This is a PR statement because they got caught with their hand in the cookie jar. Same company that makes shadow profiles for people who have never used their services.
JadeNB 15 hours ago [-]
> "We are in discussions with Google to address a potential miscommunication regarding the application of their policies," a Meta spokesperson told The Register. "Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue."
Ah, good, so it was all an innocent miscommunication, certainly not Meta hoovering up whatever they thought they could get away with.
ryandrake 13 hours ago [-]
Not just a miscommunication... a potential miscommunication!
djhn 10 hours ago [-]
A potential miscommunication about a feature that may have had unintended consequences.
No, wait, claims of intent are falsifiable in discovery.
IAmGraydon 13 hours ago [-]
Being surprised about this is like hanging out with Jeffrey Dahmer and being surprised when he kills you and turns you into a lamp for his living room table. Privacy violation is not just something that happens at Meta. It is literally their business model. It's what they do. It therefore follows that they will do it in every possible way that they can get away with under the law, and possibly in some ways that they can't. If this is something that you dislike, the only sensible move is to close your account and delete the app.
philistine 12 hours ago [-]
You’re mixing your serial killers. Dahmer didn’t make furniture, he intended to make a shrine he never quite finished.
udev4096 12 hours ago [-]
It's also surprising how most of the new cs grads have little to no ethics for working at such dishonest corp
sdk16420 6 hours ago [-]
High 5 figure salaries can bribe ethics, especially if the engineers are on a Green card
xk_id 11 hours ago [-]
Exactly, and there’s no wording I can imagine coming from the manager who requested this, which wouldn’t make it sound like the plain abuse that it is. But the guys who obeyed the manager and implemented it didn’t care. The mentality of parasites.
93po 3 hours ago [-]
lmao at "a potential miscommunication regarding the application of their policies"
"Essentially, by opening localhost ports that allow their Android apps to receive tracking data, such as cookies and browser metadata, from scripts running in mobile browsers, Meta and Yandex are able to bypass common privacy safeguards like cookie clearing, Incognito Mode, and Android's app permission system."
completely bypassing all permission systems and using what is literally just a security vulnerability is definitely not a miscommunication of policies
Rendered at 16:15:39 GMT+0000 (Coordinated Universal Time) with Vercel.
Unfortunately I can't get rid of WhatsApp, but I hope it was immune to this.
This needs to be higher level: “can website A connect to app B?”
It's nice they're giving us annual reminders they're still scumbags.
* If I don't do it, someone else will.
* Don't be naive, everybody is doing it.
* Well, one has to support one's family.
* C'mon, we're not actually hurting anyone. Did opening this port actually hurt you?
And so on.
Ah, good, so it was all an innocent miscommunication, certainly not Meta hoovering up whatever they thought they could get away with.
No, wait, claims of intent are falsifiable in discovery.
"Essentially, by opening localhost ports that allow their Android apps to receive tracking data, such as cookies and browser metadata, from scripts running in mobile browsers, Meta and Yandex are able to bypass common privacy safeguards like cookie clearing, Incognito Mode, and Android's app permission system."
completely bypassing all permission systems and using what is literally just a security vulnerability is definitely not a miscommunication of policies