
 Facebook Timeline Remover: Works, but Malicious  - vectorbunny
https://www.barracudanetworks.com/blogs/labsblog?bid=3097#
======
languagehacker
What the bloody hell is Google doing with the $5 we're supposed to pay them
for review and submission to the Chrome store if they're not catching this
stuff? I'm a vociferous Chrome user, but one thing I have to give Mozilla
credit for above Google is that their add-on review process is free and quick.

The unnecessary cost and additional process (e.g. requiring screenshots) are
all reasons LikeBuster ([https://addons.mozilla.org/en-
US/firefox/addon/likebuster-fo...](https://addons.mozilla.org/en-
US/firefox/addon/likebuster-for-firefox/)) is available on Mozilla's Firefox
add-on site but needs to be manually installed
(<http://github.com/relwell/LikeBuster>) for Chrome. Knowing that the extra
b.s. doesn't actually accomplish anything for user security really grinds my
gears as someone who would like to make it as easy as possible for people to
download my extension.

~~~
quaunaut
It's obvious what it's for. $5 keeps people from quickly and easily just
spamming the store with thousands of extensions, while still keeping it cheap
enough that anyone can afford.

It isn't for doing security screening, there's no way $5 would be worth the
time of someone professional enough to look at your code for 20 or 30 minutes,
God forbid if it's longer than that.

~~~
tptacek
You're obviously right (by approximately a factor of 50) but let me add:

There is a way to make app review "for safety" scale at this price point: be
ultra restrictive about what apps are allowed to do, and review them not as
much for security as for compliance to API guidelines.

• _Cough_ •.

~~~
saurik
I would love to hear what restrictions you think you can place on a Turing
complete brower extension (a model that already has tons of permissions that
apparently aren't enough) would let you know that a sufficiently large subset
are sufficiently safe to allow $5/app to be enough to subsidize screening the
rest.

In this case, this is a browser extension, and the goal is to edit the page:
there are tons of such extensions; while a couple of these had obvious "talks
to the wrong server" problems, various of them were correctly only editing
pages on Facebook, but were doing so maliciously.

The price point we are talking about here is simply so low: $5 is only going
to purchase 40 minutes of a _minimum wage employee_... we aren't even talking
a junior supervisor at a fast food restaurant, we are talking about the entry-
level "try to get the orders in the computer right" position.

At these prices, even just reading the description and figuring out "oh, this
should only be able to edit pages on this one website" is already going to be
expensive. Figuring out "should only be using DOM to remove nodes and not add
script elements" is impossible.

~~~
tptacek
Honestly, I was just making a snarky point about the iOS App Store.

------
dpeck
Its interesting to me how anti-timeline people are that they're willing to
seek out extensions to get rid of it. I'm not sure I understand it, but
honestly I don't understand Facebook so much either. Why the hate for timeline
from average users? And when would you ever be looking at your own timeline
anyway?

Disclosure: barracuda pay me to do stuff

~~~
codemac
Two columns of text. It's a horrible reading experience. Who wants to flip
back and forth back and forth with their eyes to read?

    
    
        A | B
        C | D
    

It's like reading the House of Leaves except that I don't feel any more
enlightened when I'm done.

The actual construction of a timeline I haven't heard any of my friends really
complain too much about.

~~~
rhizome
The thing that gets me is, what's behind that? FB has many many well-paid
designers and interface people...how did that flip model come to be? Is that
really the best they can do with the resources of Facebook? I'm reminded of
Microsoft (yet again)...

~~~
drcube
My guess is getting people to scan left to right rather than top to bottom
increases ad views.

~~~
rhizome
By that token I would think that it's more like "a disjointed reading
experience will allow for more cognitive 'slots' in which to place
advertising."

------
malenm
I'm a little surprised that after inspecting each plugin and finding:

"the first 3 plugins work well and do remove the Timeline after the user
logins to Facebook. There is no suspicious activity."

that the final conclusion is:

"In conclusion, we would like to warn all Facebook users to not try any
Facebook Timeline Remover apps or plugins."

Why take issue with an unsuspicious app that works as advertised? It's a
little unfair to the people who built these apps.

Aside from the general privacy concern presented by every single FB /
smartphone app which has access to some level of your personal data, it seems
like this is being too specific in its claim that "Timeline removal apps are
scams."

~~~
Karunamon
>Why take issue with an unsuspicious app that works as advertised?

    
    
      #include <closed_sw_boilerplate_warning.h>
    

Because you can't prove that the app isn't doing something suspicious. You
know what it purports and appears to do, and you know that it needs access to
your activity on facebook.com. Even then, it has an auto update mechanism, so
even if it isn't doing something untoward now, it easily could in the future
without you being the wiser.

Knowing how much of the average user's life is detailed on Facebook, it's one
thing that deserves extra scrutiny when it comes to allowing randoms to have
access to it.

~~~
malenm
This was exactly my point - the fact you can't prove that the app isn't doing
something suspicious is true of every app. Yes, there are a lot of personal
details on Facebook. There are on your phone, too. These are not Timeline-
removal app-specific.

Yesterday, there was a post on Hacker News about the Wolfram Alpha Facebook
Analytics [1] with very little concern about privacy (3 comments out of 104
mention privacy). My issue with this post is that it needlessly targets
Timeline removal apps when it just seems to be making a general statement
about being careful when installing any app.

[1][http://blog.stephenwolfram.com/2012/08/wolframalpha-
personal...](http://blog.stephenwolfram.com/2012/08/wolframalpha-personal-
analytics-for-facebook/)

~~~
Karunamon
Understood, but they took the time to compare all of the ones available in the
chrome store, and roughly half of them (!) were requesting permissions they
absolutely didn't need to function. That is worthy of mentioning, IMHO.

Lazy developer or spyware?

------
goatslacker
The funny thing is that people probably think this plugin will revert their
timeline back to old facebook profile.

Most users I know who dislike Timeline do so because they don't want you to
see their timeline, they had no problem viewing other people's timelines.

------
jaredsohn
For people looking to greatly customize the Facebook UI using a non-malicious
extension, check out Social Fixer (<http://socialfixer.com/>), previously
known as Better Facebook.

Among (many) other things, it allows you to switch your timeline to show items
in a single column. (Unfortunately, it will not disable timeline completely
since the author feels the technique for doing that (pretending to be IE7
since timeline doesn't support it) is fragile.)

------
xSwag
Nothing new, a worm similar to this called LilyJade got a few million installs
(using crossrider - a cross-browser extension thing) by spamming users
facebook effectively bypassing csrf because they can read the webpage and
spreading itself and banking the spammers a few hundread thousand dollars with
CPA (survey scams - "please do this survey to unlock the content")

------
zavulon
I've been using Facebook social fixer (<http://socialfixer.com/>) and it's
been great, turns Facebook back into a normal clutter-free experience. Plus,
it has a "Friend tracker" which lets you see who've defriended you (vain, I
know, but can't help it)

------
pohl
This isn't what I was hoping it to be. I would love to have a browser
extension that would iterate through every item, delete it and confirm the
delete action. (In preparation for divorcing from Facebook entirely).

------
drcube
Fluff Busting Purity, nee Facebook Purity, aka F B Purity (fbpurity.com) has
been keeping my feed free of spam and other garbage for several years now.

They've got a feature that removes timeline (from your view, other people will
still see your profile as a timeline) that works fairly well. Also, I can
change colors, so now my Facebook experience is Zenburned. I really can't
recommend these guys enough, and it's too bad Barracuda didn't study them.

------
islon
The old problem of power vs. security. You can't trust your users will be
smart enough to understand "this extension should't access all sites", but you
can just block the functionality from all the non-evil developers.

