Facebook Meta users are suing for bypassing massive Apple security to spy on millions

Facebook Meta users are suing for bypassing massive Apple security to spy on millions

After Apple updated its privacy rules in 2021 to Easily allow iOS users to opt out of all tracking By third-party applications, a lot of people have chosen not to use a file Electronic Frontier Foundation reported Meta lost $10 billion in revenue over the next year.

Meta’s business model is based on selling user data to advertisers, and it appears that the Facebook and Instagram owner has sought new avenues to continue large-scale data collection and recover from suddenly lost revenue. Last month, the privacy researcher and former Google engineer, Felix Krause, allegedly One of the ways Meta has sought to recover its losses has been to direct any link a user clicks in the app to open in the browser, with Krause reporting that Meta has been able to enter a code, change external websites, and track “anything you do on any website,” including tracking Passwords, without user consent.

Now, over the past week, class action lawsuits [1] [2] A trio of Facebook and iOS users — who point directly to Krause’s research — are suing Meta on behalf of all affected iOS users, accusing Meta of hiding privacy risks, circumventing iOS users’ privacy options, and intercepting, monitoring, and recording all activity on third-party sites viewed. In your Facebook or Instagram browser. This includes form entries and screenshots that give Meta a secret path through its in-app browser to access “personally identifiable information, private health details, text entries and other sensitive confidential facts” – seemingly without users even knowing that data collection is taking place.

The latest complaint was filed yesterday by California-based Gabriel Willis and Louisiana-based Kerisha Davis. Adam Polk, an attorney from their legal team at Girard Sharp LLP, told Ars that it was important to prevent the Meta from getting away with hiding its ongoing invasions of privacy. In the complaint, the legal team cited Meta’s previous actions of collecting user information without consent, noting the court that The FTC investigation resulted in a $5 billion fine on Meta.

“Merely using the app does not give the app company a license to look over your shoulder when you click on a link,” Polk told Ars. “This litigation seeks to hold Meta accountable for covertly monitoring people’s browsing activity through in-app tracking even when they do not allow Meta to do so.”

Meta did not immediately respond to Ars’ request for comment. Krause told Ars he preferred not to comment. [Update: A Meta spokesperson provided Ars with a statement: “These allegations are without merit and we will defend ourselves vigorously. We have carefully designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”]

Meta allegedly secretly tracks data

According to the complaints, which are based on the same facts, Krause’s research revealed “that Meta has been injecting code into third-party websites, a practice that allows Meta to track users and intercept data that would not otherwise be available to them.”

To investigate the potential privacy issue, Krause has created a website called inappbrowser.com, where users can “detect if a specific in-app browser is injecting code into third-party websites.” Compare an app like Telegram, which doesn’t inject JavaScript code into third-party sites to track user data in its in-app browser, with the Facebook app by tracking what happens in an HTML file when a user clicks a link.

If the tests are run on the Facebook and Instagram apps, Krause reported That HTML file clearly showed that “Meta uses JavaScript to change websites and override their users’ default privacy settings by directing users to the Facebook in-app browser instead of the pre-programmed default web browser.”

Complaints indicate that this injection technique that appears to be used by the Meta to “eavesdrop” on users was originally known as a JavaScript injection attack. The lawsuit defines these as cases where “a threat actor injects malicious code directly into client-side JavaScript. This allows the threat actor to tamper with a website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.” “

The complaint alleges that “Meta is now using this encoder to gain an advantage over its competitors, and as far as iOS users are concerned, it maintains the ability to intercept and track their communications.”

According to the complaints, “Meta has admitted that it tracks in-app browsing activity of Facebook users” when Krause reported the problem to his bug bounty program. Complaints say Meta also confirmed at the time that it was using data collected from in-app browsing for targeted ads.

Source link

Related Posts