🧡
1/7
During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning
2/7
We appealed @YouTubeCreators decision. We argued that the video we uploaded to @YouTube was the exact video that we shared with Facebook security team. They concluded it was harmless. We discussed the issue with Facebook in a long exchange to convince them it was critical
3/7
Facebook team was adamant that that issue was harmless and expected behavior. We shared with Facebook that we would publish the video. They didn't stop us. The video was viewed 3300 times before @TeamYouTube took it down and later rejected our appeal
4/7
After our research got popular, Facebook removed the feature of link previews altogether in the EU in both Facebook and Instagram.

More on this here:

mysk.blog/2021/02/08/fb-…
5/7
Our goal is to raise awareness about privacy and help users protect their data. We were treated unfairly by Facebook. The only way to report security issues to Facebook is through their bounty program. An acknowledgment of the bug would have been enough for us.
6/7
In fact, we were treated unfairly twice: by @Facebook and by @YouTube.

@Facebook we don't know who reported the video. But if you have recognized that your team made a mistake in the assessment, you could have reached out to us. We would have removed the video
7/7
@TeamYouTube @YouTubeCreators
We find it unfair that our educational channel has received a permanent warning. The classification that the video provides harmful or dangerous content is very wrong. Even Facebook doesn't agree with this classification. We can prove it.
For more information about our research on link previews, refer to the full article:
mysk.blog/2020/10/25/lin…

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Mysk πŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ

Mysk πŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mysk_co

Nov 6
🧡
1/6

Apple's Data & Privacy statement starts with the calming phrase "Apple believes privacy is a fundamental human right" then goes on to describe how the platform aggressively collects your data. You must accept the statement or stop using your iPhone.
#CyberSecurity ImageImageImageImage
2/6
It is true that there are options to disable personalized ads, but as this videos shows, usage data is still collected and sent to Apple even when these options are disabled:

3/6
Before you conclude that Apple is tracking its users, you need to understand how Apple defines tracking. In short, as long as data collected to track you is not shared with 3rd parties, it's not considered tracking. No, Apple is not tracking you, just keeping an eye on you πŸ‘€ Image
Read 6 tweets
Nov 3
🧡
1/5
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.πŸ‘‡This data is sent in one request: (data usage & personalized ads are off)
#CyberSecurity
2/5
As the user browses the App Store app, detailed usage data is sent to Apple simultaneously. The data contains IDs to map the behavior to a profile (redacted in the video). Data shown in the video is 152KB. Here's a log of the requests while using the app for 10 minutes: Image
3/5
The strange thing is that Apple introduced strict measures in #iOS 14.5 to prevent developers from fingerprinting users. Image
Read 7 tweets
Oct 12
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
We used @ProtonVPN and #Wireshark. Details in the video:

#CyberSecurity #Privacy
You can easily monitor the network traffic of any device using this simple method. You don't need a custom router for that. You just need a Mac and #Wireshark, and enjoy ✌️
I know what you're asking yourself and the answer is YES. #Android communicates with #Google services outside an active VPN connection, even with the options "Always-on" and "Block Connections without VPN."
I used a #Pixel phone running #Android13, its IP is 192.168.2.14 πŸ‘‡
Read 5 tweets
Oct 19, 2021
We prepared this video to illustrate why access to the accelerometer should get a permission in iOS. Unrestricted access to accelerometer data can breach user privacy. We used Facebook as an example in the video.

#Cybersecurity #Privacy #iOS

It's amazing what algorithms can extract from accelerometer data:
- Detect if you're walking, sitting, cycling.. etc
- Count your steps
- Figure your heart rate
- Find your precise location
- Analyze sound vibrations of your phone speaker and infer what you're listening to
The iPhone is equipped with a very accurate accelerometer. It helps algorithms achieve their goals with high accuracy.
Good news: iOS only allows apps to access the accelerometer when apps are active in the foreground
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(