
“Did you copy/paste the info? Facebook seems to read all pasteboard data” - uptown
https://twitter.com/alainparadis/status/947066227595214848
======
chmod775
I handle sensitive data on a daily basis and religiously keeping stuff like
Facebook off my devices is beginning to look increasingly sensible.

I'll point to this next time someone questions my stallman-esque stance.

What's full-disk encryption do if Facebook et al are going to funnel the data
off your devices anyways?

~~~
xoa
> _What 's full-disk encryption do if Facebook et al are going to funnel the
> data off your devices anyways?_

Serious answer: the threat model FDE aims to address is cold physical attacks.
That's it, everything hot (or even warm) and online is outside of scope.
Facebook would be more akin in class to gray non-persistent malware, although
they aren't actually malware in the strict sense and do face some bounds from
the law which should make filtering and keeping them off a sensitive system
more straightforward. At any rate, FDE is a good idea for a bunch of reasons
given how cheap it is at this point, but it's just one of many needed pieces.

More fundamentally and beyond Facebook specifically, we need better ways to
control data exfiltration and transfers from our datastores to and between
software and services, period. Whitelisting should be the default. Data
channels like clipboard APIs should either simply not exist at all or at least
require explicit user per-application sign off (and preferably even then with
restrictions like requiring code signatures, timeout options etc). While
single purpose hacks are generally not justified, the specific instance of
passwords & keys might be important enough in reality to justify operating
systems providing some much more explicit "secure pasteboard" system that is
far more heavily mediated.

~~~
countbackula
The Firefox Focus app for iPhone pushed out an update a few months ago that
showed an active clipboard tray below the URL bar, which was shocking and
freaky to see. Anyone know whether the update had added the API or just made
it visible? With the desktop browser it's enabled by default, but at least can
be disabled through about:config.

~~~
craftyguy
> With the desktop browser it's enabled by default, but at least can be
> disabled through about:config.

What option are you referring to?

------
0x0
When handoff was first introduced, it was obvious that facebook was auto-
scraping the pasteboard, because as soon as you foregrounded the facebook ios
app, iOS would show a "pasting from macbook handoff..." type dialog despite no
user interactions performed.

If I remember correctly, the facebook iOS app would also auto-prefill a new
post draft for you if it found an URL in the pasteboard?

~~~
mcintyre1994
Oh! I've seen this a few times, it must be in Messenger/WhatsApp. I don't know
why Apple let them do that because it's awful UX and I just assumed Apple had
screwed it up and sometimes couldn't background the copy/paste aross devices
properly.

~~~
0x0
I think they got caught red-handed with an existing pasteboard API that
suddenly gained handoff powers but at the same time started showing modal
system overlays UIs when accessed? At least it came off like that.

------
qrbLPHiKpiux
Here's a start:
[https://raw.githubusercontent.com/jmdugan/blocklists/master/...](https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all)

~~~
raverbashing
I wonder what happens when redirecting to 0.0.0.0 instead of localhost

~~~
the-dude
It is the same. Except on Windows 8.1.

[http://winhelp2002.mvps.org/hosts.htm](http://winhelp2002.mvps.org/hosts.htm)

------
sschueller
Great,

On android any app can listen for clipboard events without permission. It's
very possible that the Android Facebook app is scraping this data.

It also happens that the Facebook app is pre installed on Samsung devices and
cant be removed.

~~~
vetinari
> It also happens that the Facebook app is pre installed on Samsung devices
> and cant be removed.

It can be disabled, which is as good as removed. Now if Samsungs own apps
could be disabled, I would be happier.

~~~
milankragujevic
Note that FB has a service that keeps the app updated, which can't be
disabled.

------
stri8ed
Would like to see further evidence backing this claim.

------
Redoubts
Is there any legit reason for the clipboard API? If I want an app to see or
fill its contents, I would just copy and paste normally.

~~~
klibertp
I use copyq[1] on Linux and earlier used Ditto on Windows. I don't actually
use it that often, but when I need it, the history of copied things is
extremely useful. It's a built-in function in Emacs[2] and Vim and honestly,
it should be also implemented by the OS or thereabouts (X/Desktop Env/WM in
the worst case). And BTW, for keeping tabs on more than just the clipboard, I
use selfspy[3], which is a really neat... keylogger, basically. It's great for
filling timelogs!

Anyway, what I want to say is that there are legitimate uses for nearly every
API. Some should be protected with permissions and so on, but once an API is
there, you should always assume it's central to someone's workflow.

[1] [https://hluk.github.io/CopyQ/](https://hluk.github.io/CopyQ/)

[2]
[https://www.emacswiki.org/emacs/BrowseKillRing](https://www.emacswiki.org/emacs/BrowseKillRing)

[3] [https://github.com/selfspy/selfspy](https://github.com/selfspy/selfspy)

------
xg15
Stupid question: Why not get hold of an image of the facebook app and check if
there is suspicious code? If it were an android app, you could even try to
decompile it, but even so, there should be suspicious calls to the clipboard
API somewhere in the code, shouldn't there?

~~~
rrix2
Because all of these companies go to great lengths to hide their "anti-
malware" libraries and do a bunch of stuff like code obfuscation and ASLR
outside of even the compiler tooling.

~~~
UncleMeat
If you spend a little time getting used to working with obfuscated apps, they
are easy enough. Facebook's app is no different. And ASLR has literally
nothing to do with preventing reverse engineering.

------
an4rchy
Based on my understanding from the tweet, it sounds like it can only see the
type of data i.e. URL/plaintext and will only be able to get access to URLs
and not necessarily the actual text (ex: if you copied a password), can anyone
verify this?

Edit:

Source: [https://www.thedailybeast.com/facebook-is-spying-on-your-
cli...](https://www.thedailybeast.com/facebook-is-spying-on-your-clipboard)

"This recognition software prevents the app from scraping text that does not
look like a URL, like passwords or emails, Harrison said. It’s not a perfect
system, though: broken or fake links like “FacebookHasAccessToMyData.com” are
still automatically recommended for posts."

------
tehlike
Now imagine cp ing a private key...

------
seba_dos1
Check out
[https://github.com/indywidualny/FaceSlim](https://github.com/indywidualny/FaceSlim)
\- seems to be the sanest way to access Facebook from a mobile. Also available
on F-Droid.

------
dperfect
I'm pretty sure Chrome (for iOS) does this too, and presumably it could be
sent to Google's servers. Otherwise they wouldn't be able to suggest opening a
URL that has been copied (and show the URL before any user confirmation) by
simply tapping on the address bar. Whether or not they use it for ad targeting
is anyone's guess.

------
SubiculumCode
So don't put your passwords into your pastebin from your password manager.

~~~
jonnycomputer
seriously? lots of sites block pw autofill. copy/paste is a must, and frankly,
the whole idea that any installed app would have unfettered access to
clipboard contents is outrageous.

though to be fair, this is an issue with most OSs.

------
api
Another recent post from Reddit on a related topic:

[https://www.reddit.com/r/privacy/comments/7mxn9i/is_facebook...](https://www.reddit.com/r/privacy/comments/7mxn9i/is_facebook_listening_and_creating/)

A lot of circumstantial evidence for extreme pervasive surveillance by
Facebook apps is mounting.

Edit: another possibility is that _other_ apps are doing the monitoring and
selling the data to Facebook or to data brokers that then sell it to Facebook.
Lots of "free" apps ask for every permission.

In any case security researchers now have something new to tear apart in 2018.

