Skip to content
This repository has been archived by the owner on Mar 23, 2023. It is now read-only.

Block LOC extension #48

Closed
fmarier opened this issue Feb 4, 2022 · 7 comments · Fixed by #49 or brave/brave-core-crx-packager#332
Closed

Block LOC extension #48

fmarier opened this issue Feb 4, 2022 · 7 comments · Fixed by #49 or brave/brave-core-crx-packager#332
Assignees
@fmarier

Comments

@fmarier
Copy link
Member

fmarier commented Feb 4, 2022
edited

https://chrome.google.com/webstore/detail/loc/eojdckfcadamkapabechhbnkleligand

If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data. The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued.

Details

There is a notice when installing the extension that it will have read & write access to FB and another site:
Screenshot from 2022-02-04 17-38-22

After that, it makes a network call to https://business.facebook.com/creatorstudio/home and ends up creating a new access token without any user interaction:
Screenshot from 2022-02-04 17-30-55bis

that's despite the fact that user tokens are supposed to require an app to ask for permission:

User Access Token: This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one.

Interestingly, I can't see that access token anywhere in my account:
Screenshot from 2022-02-04 17-35-53
Screenshot from 2022-02-04 17-36-12
Screenshot from 2022-02-04 17-36-24

Also, the post-install URL that the extension opens explicitly tells users that their Facebook account might get suspended as a result of installing this extension:
Screenshot from 2022-02-04 17-31-51
@fmarier fmarier self-assigned this Feb 5, 2022
@fmarier
Copy link
Member Author

fmarier commented Feb 5, 2022

Adding this extension to the blacklist section of extension-whitelist prevents new installations:
Screenshot from 2022-02-04 18-23-14
and shows a message about already-installed ones:
Screenshot from 2022-02-04 18-26-05
but it's not clear that existing installations are actually disabled:
Screenshot from 2022-02-04 18-27-01

fmarier added a commit that referenced this issue Feb 5, 2022
@fmarier
Block LOC extension (fixes #48)
c747947
@fmarier fmarier mentioned this issue Feb 5, 2022
Merged
fmarier added a commit to brave/brave-core-crx-packager that referenced this issue Feb 10, 2022
@fmarier
Update extension-whitelist to ship brave/extension-whitelist#48
55d03b0
@fmarier fmarier mentioned this issue Feb 10, 2022
Merged
fmarier added a commit to brave/brave-core-crx-packager that referenced this issue Feb 10, 2022
@fmarier
Merge pull request #332 from brave/extension-whitelist-update
e558dc3 
Update extension-whitelist to ship brave/extension-whitelist#48
@fmarier
Copy link
Member Author

fmarier commented Feb 10, 2022

Blocked as of Brave Local Data Updater - Version: 1.0.68.

@fmarier
Copy link
Member Author

fmarier commented Feb 10, 2022

Announcement up at https://community.brave.com/t/notice-brave-now-blocking-l-o-c-web-extension/340596.

@locmai0808
Copy link

Hello @fmarier.

I'm the creator of the extension. I would like to verify how my extension would "generate" the access token.
As long as you are logged in on Facebook, if you go to view-source:https://business.facebook.com/creatorstudio/home on your browser, you should be able to use regex and search for accessToken inside there.

image

Based on my report and Facebook's response, it's a "feature" from Facebook and not a bug, so the Access Token from that page is not a bug.

The extension does not collect user's data unless user becomes a Premium user, and the only thing it collects is UID.

@fmarier
Copy link
Member Author

fmarier commented Feb 11, 2022

Thanks for reaching out @locmai0808 .

If I understand correctly, you're saying that this Facebook Creators Studio has its own access key that's not visible in a user's settings. The extension then extracts this key from the HTML and then uses it to access the various Facebook APIs it needs. Is that correct?

The extension does not collect user's data unless user becomes a Premium user, and the only thing it collects is UID.

When you say UID, is that the Facebook numerical user ID?
Does the extension keep the access token locally on the machine or is it ever sent to another server?

@fmarier
Copy link
Member Author

fmarier commented Feb 11, 2022

Based on my report and Facebook's response, it's a "feature" from Facebook and not a bug

Are you able to share this report and Facebook's response? If you prefer not to do it publicly, feel free to email it to me: francois@brave.com

@locmai0808
Copy link

@fmarier

If I understand correctly, you're saying that this Facebook Creators Studio has its own access key that's not visible in a user's settings. The extension then extracts this key from the HTML and then uses it to access the various Facebook APIs it needs. Is that correct?

Yes this is correct, the access token is within the HTML of that page. Any Facebook user can really just go to view-source:https://business.facebook.com/creatorstudio/home and view the access token in there.

Each Facebook user is assigned with a UID, for example Mark has UID of 4 (fb.com/4)
The extension keeps the access token locally in their browser, and to be excactly, it's stored under localStorage.touch
The extension does NOT send/collect user's Access token to anywhere, everything runs locally.
The extension will collect user UID, and compare with my database to see if the user is a Premium user or not, and thus can allow access to some Premium features.

I will forward to you my bug report emails - the only copies I have left since I'm banned on Facebook platform forever.

@fmarier fmarier mentioned this issue Feb 19, 2022
Closed
fmarier added a commit that referenced this issue Feb 19, 2022
@fmarier
Revert "Block LOC extension (fixes #48)"
a4f7c73 
This reverts commit c747947.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@fmarier fmarier

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@fmarier @locmai0808