Facebook is "Peeping" into Your System
Facebook is masquerading a program that collects a list of your running applications as a "Video Chat Updater".
On my Mac, I noticed a new file in my LaunchDaemon's folder: com.facebook.videochat.hunterford.updater. It seems harmless enough, but after perusing the file, I see that it runs ever 3 hours... seems somewhat excessive to me. Google sync services run every hour. Logging goes to /dev/null.
So I run the jar file from a command line: /usr/bin/java -cp ~/Library/Application\ Support/Facebook/video/1.0.0.7340/FacebookUpdate.jar FacebookUpdate com.facebook.peep 1.0.0.7340.
Notice something? Hint: "com.facebook.peep". First thing it does is execute sw_vers -productVersion which returns 10.7 since I'm running on Mac OS X Lion. That's fine. I mean, it's good information for the developers to know what version of Mac OS X I'm running.
Next it executes ps -ceo comm=tasks. Hey now... that's a list of all my running applications. I can see that having this much information would be great for debugging, but I'd rather you ask my permission!
Executing command: sw_vers -productVersion
10.7
Executing command: ps -ceo comm=tasks
tasks
launchd
kextd
UserEventAgent
notifyd
...
-bash
Attribute 0: {} protocol : 2.0
Attribute 0: {} elapsed_seconds : 40043
Attribute 0: {} status : ok
Attribute 0: {} protocol : 2.0
Attribute 0: {} elapsed_seconds : 40043
Attribute 0: {} status : noupdate
Attribute 0: {} protocol : 2.0
Attribute 0: {} elapsed_seconds : 40044
Attribute 0: {} status : ok
They could also use this information to see whether I'm using Google Video Chat. Whether this is the purpose or not I don't know. Regardless, they're collecting this information from millions of unknowing users. Bad form Facebook. Bad form.
EDIT: I did want to add that right after the jar file is executed, there is some encrypted https traffic to facebook.com. I obviously can't see what is being sent, but it seems reasonable to me that if they gather this information, it's being sent back "home."
Comments
Mike Greenwald
As far as the HTTPS traffic is concerned, you could actually use the HTTP/S proxy called "Charles" (http://www.charlesproxy.com/) to actually do an MITM and see what the traffic consists of. I have to do similar operations on OSX with Charles and on Windows using Fiddler when troubleshooting issues at work.
Florian Horner
Repeatedly occurring error messages in my logs made me stumble upon this. Might this be enough to permanently get rid of it? $ launchctl remove com.facebook.videochat.$username.updater
Michiel Prins
I sniffed the https traffic between the updating client and facebook.com. The only https traffic to the facebook.com domain is sent to their update service: https://facebook.com/omaha/update.php with POST requests. They use the Omaha v2 client/server protocol to check if an update is available. The process tree is not sent to facebook.com through this https connection. However, I can't confirm they're collecting running process information through another connection/protocol. The output of "sw_vers -productVersion" is sent to the Omaha update service.
Sergei Anikin
May be FB just wants to make sure that you are not in a middle of a video call which they would interrupt by replacing/updating binary?
ScottE
It's java, just decompile it and you can find out what it's doing.
Dan Linehan
How are they collecting the information? Does it send / receive every three hours as well?
Hunter Ford
I'd love to know where you found out that information. I don't recall hearing that in Mark Zuckerberg's keynote, and I couldn't find any mention of it in Google besides a sucky Facebook application that's supposed to tell you who's viewed your profile.
GTRoberts
FWIWI, Peep is the beta name of their new video chat service.