Comment by kungfufrog
4 years ago
So let me get this straight:
If I click a link inside the Instagram app, that for whatever reason takes me to gmail or microsoft or wherever that requires authentication, and I decide to login on that page so I can view the link in question, Meta and TikTok are able to capture my credentials and ingest the data back in to their metrics and analytics pipelines?
Is that even f*cking legal?
Everything is legal until it is explicitly made illegal. And I can assure you no US politician can understand more than 3 words in that paragraph you wrote, let alone make laws to regulate it.
Eavesdropping on electronic conversations where both parties have a reasonable expectation of privacy is illegal in many jurisdictions already.
The thing is, in this situation you _don't_ have any resonable expectation of privacy, regardless of what the masses think is actually happening.
2 replies →
This exchange. Mind-numbing
https://youtu.be/t-lMIGV-dUI
Hasn't stopped them in the past, usually completely ineffectively.
For what it's worth, Google doesn't allow you to log into your Google Account in a in-app browser for this exact reason... unless you enable some "Insecure App" settings in Google Admin settings.
I’ve always wondered how Google enforces this as a technical level. Wouldn’t it be easy to spin up an in-app browser that looks and feels just like a regular browser? How does one detect via JS (or other means) if it’s an in-app browser?
If you use the platform, you've expressly agreed to this behavior. You can't create an account without affirming that you read and agreed to their policies and terms of use.
Instagram's privacy policy: https://privacycenter.instagram.com/policy/
>We call all of the things you can do on our Products "activity." We collect your activity across our Products and information you provide, such as: [...] Apps and features you use, and what actions you take in them.
Tiktok's USA privacy policy: https://www.tiktok.com/legal/privacy-policy-us
>We collect information when you create an account or use the Platform. We also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform. [...]
>We may collect information about you from third-party services, such as advertising partners, data providers, and analytics providers.
Aren't EULAs fun?
Hey don't even worry about it, just look at this hilarious picture of a kitten instead
Can they really though?
I mean, this is literally XSS. And it's not just Facebook and Tiktok, unless this is a private API scummy apps can and are (I guarantee) doing this to steal user passwords and bank credentials. Your average person already needs to know that they can't type in their credentials unless the URL says facebook.com, now they also need to check the app is Safari. And you may not even need to enter credentials, a malicious app could just load my-bank.com and extract the cookies or local storage or send API requests.
If true...wow. That's a massive security oversight. But it seems to massive I'm not 100% convinced. Especially because websites are tightly sandboxed from other websites and apps are tightly sandboxed from other apps. Yeah you could in theory re-implement your own web browser in your app which looks and acts like Safari, but in practice Apple technically forbids other web-views, and it's really hard to fully implement a web browser and not make it immediately apparent anyways.
We'll find out soon enough, but no existing law covers it so clearly that it can be decided with certainty without a judge's imprint.
You're surprised?
Those were never trustworthy.