π§΅
1/7
During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning
1/7
During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning
2/7
We appealed @YouTubeCreators decision. We argued that the video we uploaded to @YouTube was the exact video that we shared with Facebook security team. They concluded it was harmless. We discussed the issue with Facebook in a long exchange to convince them it was critical
We appealed @YouTubeCreators decision. We argued that the video we uploaded to @YouTube was the exact video that we shared with Facebook security team. They concluded it was harmless. We discussed the issue with Facebook in a long exchange to convince them it was critical
3/7
Facebook team was adamant that that issue was harmless and expected behavior. We shared with Facebook that we would publish the video. They didn't stop us. The video was viewed 3300 times before @TeamYouTube took it down and later rejected our appeal
Facebook team was adamant that that issue was harmless and expected behavior. We shared with Facebook that we would publish the video. They didn't stop us. The video was viewed 3300 times before @TeamYouTube took it down and later rejected our appeal
4/7
After our research got popular, Facebook removed the feature of link previews altogether in the EU in both Facebook and Instagram.
More on this here:
mysk.blog/2021/02/08/fb-β¦
After our research got popular, Facebook removed the feature of link previews altogether in the EU in both Facebook and Instagram.
mysk.blog/2021/02/08/fb-β¦
5/7
Our goal is to raise awareness about privacy and help users protect their data. We were treated unfairly by Facebook. The only way to report security issues to Facebook is through their bounty program. An acknowledgment of the bug would have been enough for us.
Our goal is to raise awareness about privacy and help users protect their data. We were treated unfairly by Facebook. The only way to report security issues to Facebook is through their bounty program. An acknowledgment of the bug would have been enough for us.
6/7
In fact, we were treated unfairly twice: by @Facebook and by @YouTube.
@Facebook we don't know who reported the video. But if you have recognized that your team made a mistake in the assessment, you could have reached out to us. We would have removed the video
In fact, we were treated unfairly twice: by @Facebook and by @YouTube.
@Facebook we don't know who reported the video. But if you have recognized that your team made a mistake in the assessment, you could have reached out to us. We would have removed the video
7/7
@TeamYouTube @YouTubeCreators
We find it unfair that our educational channel has received a permanent warning. The classification that the video provides harmful or dangerous content is very wrong. Even Facebook doesn't agree with this classification. We can prove it.
@TeamYouTube @YouTubeCreators
We find it unfair that our educational channel has received a permanent warning. The classification that the video provides harmful or dangerous content is very wrong. Even Facebook doesn't agree with this classification. We can prove it.
For more information about our research on link previews, refer to the full article:
mysk.blog/2020/10/25/linβ¦
mysk.blog/2020/10/25/linβ¦
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
