If I found an application by some random developer, whose purpose was completely unrelated, doing this, I would categorize it as malware, or spyware at the very least.
By Facebook does it, and it's a "miscommunication." I have personally considered them a surveillance, and therefore spyware company, for years. I hope more people will realize it. Especially all people right here on HN who work for Facebook, and Google as well. Please realize what you're doing is wrong, and damaging, and that you should work somewhere else doing something less objectively harmful.
if you use a burner phone i would imagine three letter agencies can still figure out it's you really easily through metadata alone. if they can see all the numbers you call and text over years then they can probably piece together who you are pretty easily
On MacOS and probably iOS it does. You get a popup that the application wants to access other devices on the network. Unfortunately it's not really clear to the user what this means and if the app is asking it for legitimate reasons or for spyware.
It’s not a meaningful permission. Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
This needs to be higher level: “can website A connect to app B?”
> Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
It could be worded as something like "connect to applications running on your device". And yeah, users probably don't know what things that might be, but that is why it is a scary permission, and almost all websites don't need it, and if you really do need it, you should be able to explain to the user why you need to talk to a local process, and you probably also need the user to install specific software.
> This needs to be higher level: “can website A connect to app B?”
Unfortunately, on at least some OSes, this isn't really possible. You don't connect to an app, you connect to a port, and there isn't always a way to know what is on the other side. Especially if this is something on your local network, not localhost. You could ask about a specific host/port combination, but most users won't have any idea what that means.
Seriously, what's even the point of having firewalls or NAT if you're going to let any external website just start opening up arbitrary connections to localhost? Is something embedded on the page for foobar.com any more trust worthy than a random IP trying to open a connection?
They literally pay engineers to come up with crazy grey hat techniques to monitor people’s online activity. And those scumbags are probably HN users. It’s sinister. I wonder about the wording used by the manager behind it. It probably sounded plain evil and nobody who worked on it cared. It makes you wonder what else those parasites do that we haven’t discovered yet.
> "We are in discussions with Google to address a potential miscommunication regarding the application of their policies," a Meta spokesperson told The Register. "Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue."
Ah, good, so it was all an innocent miscommunication, certainly not Meta hoovering up whatever they thought they could get away with.
It seems a happy coincidence the exploit wasn’t that effective on iOS. There are legitimate reasons for all the technologies involved to exist, but thanks to Meta we can’t have nice things.
This is a PR statement because they got caught with their hand in the cookie jar. Same company that makes shadow profiles for people who have never used their services.
Being surprised about this is like hanging out with Jeffrey Dahmer and being surprised when he kills you and turns you into a lamp for his living room table. Privacy violation is not just something that happens at Meta. It is literally their business model. It's what they do. It therefore follows that they will do it in every possible way that they can get away with under the law, and possibly in some ways that they can't. If this is something that you dislike, the only sensible move is to close your account and delete the app.
Exactly, and there’s no wording I can imagine coming from the manager who requested this, which wouldn’t make it sound like the plain abuse that it is. But the guys who obeyed the manager and implemented it didn’t care. The mentality of parasites.
lmao at "a potential miscommunication regarding the application of their policies"
"Essentially, by opening localhost ports that allow their Android apps to receive tracking data, such as cookies and browser metadata, from scripts running in mobile browsers, Meta and Yandex are able to bypass common privacy safeguards like cookie clearing, Incognito Mode, and Android's app permission system."
completely bypassing all permission systems and using what is literally just a security vulnerability is definitely not a miscommunication of policies
Discussion (251 points, 11 hours ago, 198 comments) https://news.ycombinator.com/item?id=44169115
If I found an application by some random developer, whose purpose was completely unrelated, doing this, I would categorize it as malware, or spyware at the very least.
By Facebook does it, and it's a "miscommunication." I have personally considered them a surveillance, and therefore spyware company, for years. I hope more people will realize it. Especially all people right here on HN who work for Facebook, and Google as well. Please realize what you're doing is wrong, and damaging, and that you should work somewhere else doing something less objectively harmful.
I haven't had Facebook or Instagram apps installed on anything but a burner phone for half a decade and I'm happy about that decision.
Unfortunately I can't get rid of WhatsApp, but I hope it was immune to this.
if you use a burner phone i would imagine three letter agencies can still figure out it's you really easily through metadata alone. if they can see all the numbers you call and text over years then they can probably piece together who you are pretty easily
They are hiding from Facebook surveillance, they are not evading the NSA
It seems to me like a non-localhost site making requests to localhost, or a link-local address should require a permission granted by the user.
On MacOS and probably iOS it does. You get a popup that the application wants to access other devices on the network. Unfortunately it's not really clear to the user what this means and if the app is asking it for legitimate reasons or for spyware.
I have seen this pop-up many times, and not once has it been for a legitimate reason. Every site worked just fine without the permission.
It’s not a meaningful permission. Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
This needs to be higher level: “can website A connect to app B?”
> Even if they know what “localhost” means, most users have no idea which servers are running on localhost on each of their devices, so they don’t know the risks.
It could be worded as something like "connect to applications running on your device". And yeah, users probably don't know what things that might be, but that is why it is a scary permission, and almost all websites don't need it, and if you really do need it, you should be able to explain to the user why you need to talk to a local process, and you probably also need the user to install specific software.
> This needs to be higher level: “can website A connect to app B?”
Unfortunately, on at least some OSes, this isn't really possible. You don't connect to an app, you connect to a port, and there isn't always a way to know what is on the other side. Especially if this is something on your local network, not localhost. You could ask about a specific host/port combination, but most users won't have any idea what that means.
Seriously, what's even the point of having firewalls or NAT if you're going to let any external website just start opening up arbitrary connections to localhost? Is something embedded on the page for foobar.com any more trust worthy than a random IP trying to open a connection?
Still the same Facebook from 2004, despite the name change.
It's nice they're giving us annual reminders they're still scumbags.
They literally pay engineers to come up with crazy grey hat techniques to monitor people’s online activity. And those scumbags are probably HN users. It’s sinister. I wonder about the wording used by the manager behind it. It probably sounded plain evil and nobody who worked on it cared. It makes you wonder what else those parasites do that we haven’t discovered yet.
I heard many excuses from some of them.
* If I don't do it, someone else will.
* Don't be naive, everybody is doing it.
* Well, one has to support one's family.
* C'mon, we're not actually hurting anyone. Did opening this port actually hurt you?
And so on.
> "We are in discussions with Google to address a potential miscommunication regarding the application of their policies," a Meta spokesperson told The Register. "Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue."
Ah, good, so it was all an innocent miscommunication, certainly not Meta hoovering up whatever they thought they could get away with.
Not just a miscommunication... a potential miscommunication!
A potential miscommunication about a feature that may have had unintended consequences.
No, wait, claims of intent are falsifiable in discovery.
Concerning that Android allows this — there are worse folks than meta that would exploit this
This is by design. Why do you think we still don't have a per-app network toggle? Android is built & released by a surveillance company.
It seems a happy coincidence the exploit wasn’t that effective on iOS. There are legitimate reasons for all the technologies involved to exist, but thanks to Meta we can’t have nice things.
This is a PR statement because they got caught with their hand in the cookie jar. Same company that makes shadow profiles for people who have never used their services.
Being surprised about this is like hanging out with Jeffrey Dahmer and being surprised when he kills you and turns you into a lamp for his living room table. Privacy violation is not just something that happens at Meta. It is literally their business model. It's what they do. It therefore follows that they will do it in every possible way that they can get away with under the law, and possibly in some ways that they can't. If this is something that you dislike, the only sensible move is to close your account and delete the app.
You’re mixing your serial killers. Dahmer didn’t make furniture, he intended to make a shrine he never quite finished.
>Being surprised about this is like hanging out with Jeffrey Dahmer and being surprised when he kills
I have a choice between Google brand Dahmer & Apple brand Dahmer, what do I do?
It's also surprising how most of the new cs grads have little to no ethics for working at such dishonest corp
High 5 figure salaries can bribe ethics, especially if the engineers are on a Green card
Exactly, and there’s no wording I can imagine coming from the manager who requested this, which wouldn’t make it sound like the plain abuse that it is. But the guys who obeyed the manager and implemented it didn’t care. The mentality of parasites.
lmao at "a potential miscommunication regarding the application of their policies"
"Essentially, by opening localhost ports that allow their Android apps to receive tracking data, such as cookies and browser metadata, from scripts running in mobile browsers, Meta and Yandex are able to bypass common privacy safeguards like cookie clearing, Incognito Mode, and Android's app permission system."
completely bypassing all permission systems and using what is literally just a security vulnerability is definitely not a miscommunication of policies