Facebook is secretly accessing your iPhone’s camera while just browsing news feed

hrœrekr · Nov 12, 2019

TarpitCarnivore said:
"the App should call the OS interface where only one file is reachable"

But what "one" file? It has to read the file/library in order to see those files. It also has to read it in order to save any photos taken.

Same with your desktop. When you upload a file in your browser, that window to select a file is from your MacOS Finder (Or Windows file explorer). You select one or many files. After you confirm, only those selected files are reachable.

When you save a new file, it goes to your filesystem without having access to other files there. This is basic OS filesystem management we have in Desktops for ages, and mobile OS struggles to adopt.

TarpitCarnivore · Nov 12, 2019

hrœrekr said:
Same with your desktop. When you upload a file in your browser, that window to select a file is from your MacOS Finder (Or Windows file explorer). You select one or many files. After you confirm, only those selected files are reachable.

The drag and drop is also managed by the OS. The website can only reach the dropped file, not your entire OS filesystem.

That's exactly how the apps work on mobile devices though. Your browser is accessing just as much as your phone is.

Deleted member 2625 · Nov 12, 2019

hrœrekr said:
Same with your desktop. When you upload a file in your browser, that window to select a file is from your MacOS Finder (Or Windows file explorer). You select one or many files. After you confirm, only those selected files are reachable.

When you save a new file, it goes to your filesystem without having access to other files there. This is basic OS filesystem management we have in Desktops for ages, and mobile OS struggles to adopt.

ok but now do it blind. You can't see the files. No permission given yet. What now

you're not thinking through the UX

hrœrekr · Nov 12, 2019

TarpitCarnivore said:
That's exactly how the apps work on mobile devices though. Your browser is accessing just as much as your phone is.

It is not. They simplify the process in one authorize/block option. If you allow access to your photos, the app is reaching all of them (including the nudes you have on hidden files).

hrœrekr · Nov 12, 2019

Nerfgun said:
ok but now do it blind. You can't see the files. No permission given yet. What now

you're not thinking through the UX

Mind elaborate?

TarpitCarnivore · Nov 12, 2019

hrœrekr said:
It is not. They simplify the process in one authorize/block option. If you allow access to your photos, the app is reaching all of them (including the nudes you have on hidden files).

Because all the photos are in one place....the camera roll. If you grant access to Photos the app can _only_ read from the Photos storage library. You're not granting access to every single photo on your device. So If you have pictures under Cloud Files or Dropbox or any other storage point that is _not_ the Photo Library/Camera Roll then Photos access doesn't grant it service. You'd have to share it to the app via share sheet dialogue.

I'm not really not understanding what you're getting at with the desktop comparison. When you initiate a file upload process in the browser the browser can go through your entire OS, you have full range to find any file you want to hand it over. At least with a mobile phone, iOS in particular, granting access to your photos restricts it to just the Photos/Camera Roll.

hrœrekr · Nov 12, 2019

TarpitCarnivore said:
Because all the photos are in one place....the camera roll. If you grant access to Photos the app can _only_ read from the Photos storage library. You're not granting access to every single photo on your device. So If you have pictures under Cloud Files or Dropbox or any other storage point that is _not_ the Photo Library/Camera Roll then Photos access doesn't grant it service. You'd have to share it to the app via share sheet dialogue.

I'm not really not understanding what you're getting at with the desktop comparison. When you initiate a file upload process in the browser the browser can go through your entire OS, you have full range to find any file you want to hand it over. At least with a mobile phone, iOS in particular, granting access to your photos restricts it to just the Photos/Camera Roll.

It does not. Browsers run in this sandbox concept, where the OS protects your computer files.

This full range access to find the file is entirely managed by the OS layer. The browser and the website have no idea what files are there till you select and confirm them.

Also having access to photos/camera roll is already too much if you just want them to access that one file you need to upload.

Jroc · Nov 12, 2019

Has anyone at Facebook/Google/Amazon ever come out and revealed anything?

Kthulhu · Nov 12, 2019

Jroc said:
Has anyone at Facebook/Google/Amazon ever come out and revealed anything?

Such as? Their data collection isn't exactly a secret.

The only thing internal that leaks is stuff like developing a search engine for China and mistreatment of labor.

TarpitCarnivore · Nov 12, 2019

hrœrekr said:
It does not. Browsers run in this sandbox concept, where the OS protects your computer files.

This full range access to find the file is entirely managed by the OS layer. The browser and the website have no idea what files are there till you select and confirm them.

Also having access to photos/camera roll is already too much if you just want them to access that one file you need to upload.

And apps work the same way. They can only access what you granted access to and what those public API's allow.

Deleted member 19844 · Nov 12, 2019

PMS341 said:
I imagine it slips by in apps that seemingly require it to function. Snapchat and Instagram, for example - the camera is integral to the core function of both apps, and disabling that permission would essentially render them useless, outside of using other apps to take the image first and then just directly upload from there. So while you enable the permission to use the camera function, the apps will use them in ways not intended (at least, by the user).

Thank you - this is helpful info.

Jroc · Nov 12, 2019

Kthulhu said:
Such as? Their data collection isn't exactly a secret.

The only thing internal that leaks is stuff like developing a search engine for China and mistreatment of labor.

Stuff like "my phone is listening to me and generating ads" and "my camera is recording my face while I browse facebook".

Basically the stuff that people "discover" every once in a while.

Kthulhu · Nov 12, 2019

Jroc said:
Stuff like "my phone is listening to me and generating ads" and "my camera is recording my face while I browse facebook".

Basically the stuff that people "discover" every once in a while.

People's phones listening to them has been debunked by pretty much everyone.

The camera deal looks like it might be an iOS bug. I seriously doubt a cyber security researcher wouldn't have found this if it was intentional but some random guy on Twitter could.

Loan Wolf · Nov 12, 2019

lol I was contemplating on reactivating my facebook. Hope antitrust legislation can split FB, IG, and Messenger as I still use the latter two

Deleted member 2625 · Nov 12, 2019

hrœrekr said:
Mind elaborate?

photos are a weird case – no one knows to pick _IMG34657.HEIC from a file list or what that is... so you need to show preview thumbnails in order for the user to pick what they want to upload or use, right

need to generate previews = need access to photo library

now I see what you are saying in that it should be a System-generated tray that pops up and allows access for the one photo you pick, but you'd have to grant that every single time you used this feature, and frankly users wouldn't put up with it (the UX "friction" described upthread). also I'm not entirely sure that Preview tray doesn't actually belong to the System in iOS as it's quite uniform throughout the different apps... but it doesn't matter as it is currently doing the blanket access request up front and relying on users to turn it off if they like in Settings (which honestly is easy)

TarpitCarnivore · Nov 12, 2019

Jroc said:
Stuff like "my phone is listening to me and generating ads" and "my camera is recording my face while I browse facebook".

Basically the stuff that people "discover" every once in a while.

Security researchers have very likely been trying to prove this for years. Also has been stated, the risk of doing this is way too high when they have ways to generate much more valuable data that people are handing over without even a thought

Nerfgun said:
photos are a weird case – no one knows to pick _IMG34657.HEIC from a file list or what that is... so you need to show preview thumbnails in order for the user to pick what they want to upload or use, right

need to generate previews = need access to photo library

now I see what you are saying in that it should be a System-generated tray that pops up and allows access for the one photo you pick, but you'd have to grant that every single time you used this feature, and frankly users wouldn't put up with it (the UX "friction" described upthread). also I'm not entirely sure that Preview tray doesn't actually belong to the System in iOS as it's quite uniform throughout the different apps... but it doesn't matter as it is currently doing the blanket access request up front and relying on users to turn it off if they like in Settings (which honestly is easy)

I'm pretty sure iOS is just granting access to view the files, but you can show them how you want (Instagram has it's own look). I'd imagine it very much functions like the in-app browser that apps can leverage in that it's pretty much safari but if you want you can color match the UI to your app. Apple is so protective over their API's and how you use them that I'd be shocked if apps could 1. access anything outside of Photos and 2. access photos when not explicitly called ie opening camera or upload.

Deleted member 6582 · Nov 12, 2019

Fliesen said:
This looks like Instagram's implementation where the 'Story' camera is always to the left of your Feed (i guess so it loads up faster?).

I guess they wanna introduce that in the Facebook as well?

Actually - didn't it work like that before?

It's probably exactly this.

Loan Wolf said:
lol I was contemplating on reactivating my facebook. Hope antitrust legislation can split FB, IG, and Messenger as I still use the latter two

I have the feeling they'll gut end-to-end encryption efforts and call it a win against big business.

NineConsonants · Nov 12, 2019

hrœrekr said:
It does not. Browsers run in this sandbox concept, where the OS protects your computer files.

This full range access to find the file is entirely managed by the OS layer. The browser and the website have no idea what files are there till you select and confirm them.

Also having access to photos/camera roll is already too much if you just want them to access that one file you need to upload.

Uhh, I/O is also sandboxes with system calls, typically. I would expect that the camera roll viewer in apps is a component made by Apple and it handles the viewing and selecting of photos and only returns the photos that the user selected to the app. Just because you are seeing those photos in the app doesn't mean the app has the data.

Lord Error · Nov 12, 2019

Daytak said:
iOS13 continues to be a fucking mess

Are you kidding? The reason this was discovered is because iOS13 doesn't open successive popup modals in fullscreen, and leaves previous views shrunk a bit behind. It doesn't mean that iOS13 is the reason this is happening, just that it's finally become visible.

mashoutposse said:
It's a bug. Of course, privacy people are going to jump all over this. This group has been trying to kill FB forever.
If the feed isn't being sent back to FB, it's just an unfortunate bug that will be cleaned up in the next update.

It probably is a bug, but they don't need to send the video feed to make use of this. They could be running image recognition on what camera sees, and seding just that small amount of data.

hrœrekr · Nov 12, 2019

NineConsonants said:
Uhh, I/O is also sandboxes with system calls, typically. I would expect that the camera roll viewer in apps is a component made by Apple and it handles the viewing and selecting of photos and only returns the photos that the user selected to the app. Just because you are seeing those photos in the app doesn't mean the app has the data.

Unfortunately, it is not. Is a different sandbox implementation. The API allows you to fetch the library. The camera roll viewer is part of the app UI.
Remember when facebook started to auto load the last pic from your library into your timeline, but not posting till you confirm it?
--

I'm really tired of trying to explain it. People believe what they want to believe.

Soulnado · Nov 12, 2019

Imagine all the petabytes of data they have about people jerking off to their hot friends.

Linkura · Nov 12, 2019

I fucking knew it was a good idea to never download the Facebook app to any of my phones and just use it in the browser. Don't use Facebook anymore at all really but back when I did...

The Real Abed · Nov 12, 2019

I just tried to replicate this and only had a black screen behind the "seam" but then realized it's because I reinstalled the app recently and didn't even use the camera yet so it hasn't even asked permission yet. That said, I'm less concerned about them recording stuff while you're not even in the camera part of the app and more about the battery usage it's sucking up while you're just browsing.

Thank goodness I never even use FaceBook except to check my memories from when I used to actually use FaceBook.

I'll just leave the permissions off. I never want to take photos while in the app. If I want to post something I'll use the Camera app first and post it from my library.

Pbae · Nov 12, 2019

Fuck Facebook. Deleting my account after all the shit they pulled in 2016 was the best thing ever.

DOT_mjo · Nov 12, 2019

At what point does the government step in and start regulating facebook.

whytemyke · Nov 12, 2019

Just get rid of the app. I haven't had it for over a year now and if I want to look at Facebook I go on through a browser where I control the conditions

not the most secure thing but it's better than having the app.

DOT_mjo said:
At what point does the government step in and start regulating facebook.

Are you kidding? Never. Cambridge Analytica taught them how to win elections and influence people with this stuff. Facebook and social media in general is NEVER getting regulated. They'll continue to blame every victim of this stuff for anything that happens to them, and casually scold Facebook in the news while never lifting a finger over it. Not a chance.

Dr. Zoidberg · Nov 12, 2019

DOT_mjo said:
At what point does the government step in and start regulating facebook.

Why would they? They're in cahoots!

TheAndyMan · Nov 12, 2019

Fuck Facebook. Just delete it.

TheAndyMan · Nov 12, 2019

ZeroX said:
I'm sure that Facebook is spying on you in many ways but this certainly seems to be either a bug or camera being kept in standby for quite use like other apps.

Apple pushed out a patch quickly because of battery drain and call dropping. That patch then screwed up memory so apps would restart constantly. (These are all mentioned in Apple's patch notes btw) The patch to fix app restarting has now messed with UI performance and touch inputs. Each update introduces new issues. It's the worst in years. Easily.

So that's what was going on recently. Felt like Safari was refreshing every 5 minutes.

Netherscourge · Nov 12, 2019

Don't use the app.

Stick to the mobile browser version. You can block any website from accessing your camera/mic/location/contacts/media/etc... in the browser settings.

The app, however, can access your whole phone.

Kay · Nov 12, 2019

Somewhere Zuck has a database full of these guys

night814 · Nov 12, 2019

5taquitos said:
Just delete your Facebook account.

Really, you don't need it.

No doubt about that, a million other ways to keep in contact with people you care about.

hateradio · Nov 13, 2019

Another shitty shit thing that shitty Facebook is doing. Not surprised.

Rendering... · Nov 13, 2019

Joke's on them, I constantly block my camera with my dick.

Protome · Nov 13, 2019

Facebook sucks but this is a bit of a stretch and easily solved by turning off camera permissions.

Netherscourge said:
Don't use the app.

Stick to the mobile browser version. You can block any website from accessing your camera/mic/location/contacts/media/etc... in the browser settings.

The app, however, can access your whole phone.

This is not how apps work, no.

finalflame · Nov 13, 2019

Pizza Dog said:
Makes sense that someone working at a tech firm, especially a well known celebrity in the tech industry, would want to take additional precautions. It's much more likely that someone's going to want to hack Mark Zuckerberg's camera than mine.

The reason lots of people in tech do this is so we don't accidentally dial into a meeting when working remotely and show our stupid face to an entire meeting room if we forget to disable video before joining. It has close to zero to do with worrying about having someone watch you through your webcam.

Protome said:
Facebook sucks but this is a bit of a stretch and easily solved by turning off camera permissions.

This is not how apps work, no.

Most likely explanation is this is a way to optimize opening the camera faster for taking pictures for your feed/story. Lots of companies with camera-centric functionality are obsessed with how fast you can open the camera in-app. But nobody here is going to accept any explanation short of a full blown conspiracy.

Protome · Nov 13, 2019

finalflame said:
Most likely explanation is this is a way to optimize opening the camera faster for taking pictures for your feed/story. Lots of companies with camera-centric functionality are obsessed with how fast you can open the camera in-app. But nobody here is going to accept any explanation short of a full blown conspiracy.

Yeah, given it's their full camera screen running that would make sense. Either that or something on the Image screen causes the camera to load due to changes in the newest version of iOS. If they actually wanted to do what people suspect them of doing
1) they could just add a camera view to any/all screens and hide it so the user could never see it
2) Apple would probably figure that out and reject it.

like if this was an actual thing they actually wanted to do, opening their camera screen makes zero sense.

Deleted member 41520 · Nov 13, 2019

Aurongel said:
Feel like this selection from the article should have been included in the OP.

If I had to take a guess, I'd say that the app is attempting to pre-load the camera functionality in the background for its Story feature and isn't obscuring it properly due to a bug that exposes this issue in certain versions of iOS 13. Instagram and Snapchat both behave this way if I'm not mistaken, I think that's the far more likely culprit here rather than Facebook intentionally trying to do something malicious.

Yup.

It must be faster for their software to always have the camera open in the background, rather than having to initialize when people select camera or story.

Deleted member 19218 · Nov 13, 2019

That's fine. If they want to see my hairy, sweaty crotch when I browse porn then good luck in life to the employee that checks that.

Fliesen · Nov 13, 2019

Kuma Bear said:
That's fine. If they want to see my hairy, sweaty crotch when I browse porn then good luck in life to the employee that checks that.

You browse porn on Facebook?

Protome · Nov 13, 2019

Jiminy said:
Yup.

It must be faster for their software to always have the camera open in the background, rather than having to initialize when people select camera or story.

Speaking from experience, if you don't pre-load the camera then the user will see a second or two of black screen as the camera connects. It's nothing major, but not surprising that apps like Facebook do things like this to hide that from users as best as possible.

Deleted member 41520 · Nov 13, 2019

Protome said:
Speaking from experience, if you don't pre-load the camera then the user will see a second or two of black screen as the camera connects. It's nothing major, but not surprising that apps like Facebook do things like this to hide that from users as best as possible.

Precisely.

TP-DK · Nov 13, 2019

Netherscourge said:
Don't use the app.

Stick to the mobile browser version. You can block any website from accessing your camera/mic/location/contacts/media/etc... in the browser settings.

The app, however, can access your whole phone.

Yeah no, thats not how it works on apps.

baron doggystyle von woof · Nov 13, 2019

If you are still using Facebook after everything, it's on you.

Lishi · Nov 13, 2019

Fliesen said:
You browse porn on Facebook?

Anything can be porn if you are skilled enough.

tokkun · Nov 13, 2019

Jroc said:
Stuff like "my phone is listening to me and generating ads" and "my camera is recording my face while I browse facebook".

Basically the stuff that people "discover" every once in a while.

Working at a big tech company we get a lot of training on privacy issues. They are taken very seriously because of the damage they do to the brands and the strong legal penalties due to GDPR.

The people who believe that big companies are spying through cameras or microphones in order to give you targeted ads come off as very naive.

Just_a_Mouse · Nov 13, 2019

Facebook is evil trash, I deleted my account ages ago.

shnurgleton · Nov 13, 2019

I think Facebook is bad

PaulLFC · Nov 13, 2019

Glasfrut said:
You are being watched.
The government has a secret system:
A machine that spies on you every hour of every day...

"I know because... I built it."

God I miss Person of Interest. What a show.

mashoutposse · Nov 13, 2019

baron doggystyle von woof said:
If you are still using Facebook after everything, it's on you.

What's "everything"?

Facebook is secretly accessing your iPhone’s camera while just browsing news feed

Attempted to circumvent ban with alt account

User requested account closure

Attempted to circumvent ban with alt account

Attempted to circumvent ban with alt account

Attempted to circumvent ban with alt account

User requested account closure

User requested account closure

Attempted to circumvent ban with alt account

Alt account

One Winged Slayer

Product Management

User requested account closure