Hunter Ford Hunter Ford

Facebook is "Peeping" into Your System

Facebook is masquerading a program that collects a list of your running applications as a "Video Chat Updater".

On my Mac, I noticed a new file in my LaunchDaemon's folder: com.facebook.videochat.hunterford.updater. It seems harmless enough, but after perusing the file, I see that it runs ever 3 hours... seems somewhat excessive to me. Google sync services run every hour. Logging goes to /dev/null.

So I run the jar file from a command line: /usr/bin/java -cp ~/Library/Application\ Support/Facebook/video/1.0.0.7340/FacebookUpdate.jar FacebookUpdate com.facebook.peep 1.0.0.7340.

Notice something? Hint: "com.facebook.peep". First thing it does is execute sw_vers -productVersion which returns 10.7 since I'm running on Mac OS X Lion. That's fine. I mean, it's good information for the developers to know what version of Mac OS X I'm running.

Next it executes ps -ceo comm=tasks. Hey now... that's a list of all my running applications. I can see that having this much information would be great for debugging, but I'd rather you ask my permission!

Executing command: sw_vers -productVersion
10.7
Executing command: ps -ceo comm=tasks
tasks
launchd
kextd
UserEventAgent
notifyd
...
-bash
Attribute 0: {} protocol : 2.0
Attribute 0: {} elapsed_seconds : 40043
Attribute 0: {} status : ok
Attribute 0: {} protocol : 2.0
Attribute 0: {} elapsed_seconds : 40043
Attribute 0: {} status : noupdate
Attribute 0: {} protocol : 2.0
Attribute 0: {} elapsed_seconds : 40044
Attribute 0: {} status : ok

They could also use this information to see whether I'm using Google Video Chat. Whether this is the purpose or not I don't know. Regardless, they're collecting this information from millions of unknowing users. Bad form Facebook. Bad form.

EDIT: I did want to add that right after the jar file is executed, there is some encrypted https traffic to facebook.com. I obviously can't see what is being sent, but it seems reasonable to me that if they gather this information, it's being sent back "home."


Comments

  • Tony Grear

    How did a web page get shell access? Can't happen unless your OS has a hole in its security. I think you must have misread or skipped something.
  • Mike Greenwald

    As far as the HTTPS traffic is concerned, you could actually use the HTTP/S proxy called "Charles" (http://www.charlesproxy.com/) to actually do an MITM and see what the traffic consists of. I have to do similar operations on OSX with Charles and on Windows using Fiddler when troubleshooting issues at work.
  • Florian Horner

    Repeatedly occurring error messages in my logs made me stumble upon this. Might this be enough to permanently get rid of it? $ launchctl remove com.facebook.videochat.$username.updater
  • Michiel Prins

    I sniffed the https traffic between the updating client and facebook.com. The only https traffic to the facebook.com domain is sent to their update service: https://facebook.com/omaha/update.php with POST requests. They use the Omaha v2 client/server protocol to check if an update is available. The process tree is not sent to facebook.com through this https connection. However, I can't confirm they're collecting running process information through another connection/protocol. The output of "sw_vers -productVersion" is sent to the Omaha update service.
  • Sergei Anikin

    May be FB just wants to make sure that you are not in a middle of a video call which they would interrupt by replacing/updating binary?
  • ScottE

    It's java, just decompile it and you can find out what it's doing.
  • Dan Linehan

    How are they collecting the information? Does it send / receive every three hours as well?
  • Hunter Ford

    I'd love to know where you found out that information. I don't recall hearing that in Mark Zuckerberg's keynote, and I couldn't find any mention of it in Google besides a sucky Facebook application that's supposed to tell you who's viewed your profile.
  • GTRoberts

    FWIWI, Peep is the beta name of their new video chat service.