Public Threats

Facebook Privacy: Chats Are Being Scanned By A CIA Funded Company

During the testing of an application we’ve set up in a non-published area we have noticed some unusual activity. The link for the app was sent via facebook chat and afterwards comes the interesting part:

Lots of IPv6 for a single facebook check.

We went a step further. Forced IPv4 and tracked logs for an URL that was freshly created and sent via facebook chat.

x.x.x.x were our IP addresses and after the facebook checking the link there was no activity for ~3 minutes. As it can bee seen from the logs next hit was with “Recorded Future” signature (here we’ll disregard two hits that were made from US/Illinois 16 minutes later even though it’s not anything related to our company or area)

Search for terms “facebook chat scan” gave us this result: http://mashable.com/2012/07/12/facebook-scanning-chats/, but in this case it’s a third party. Company unrelated to Facebook.

Recorded Future is an American-Swedish startup backed by both Google Ventures and American intelligence agencies. ”
http://www.fastcolabs.com/3014444/does-world-history-repeat-one-cia-backed-startup-plans-to-find-out

They also claim:

Considering that they were crawling links that were not published anywhere else and only sent via FB chat “open Web” seems to be an understatement.

Also, the interesting part is that recent focus of “Recorded Future” are terrorist groups such as ISIS, cyber criminal organizations and any kind of “public” internet activity that’s related to possible threats.

Conclusion would be that the privacy on facebook does not exist and their lawyers covered it well with EULA and their privacy policy:

 

  • This is an exiting finding but confusing at the same time.

  • B. Dunkerson

    What a bunch of tinfoil hat nonsense — have you considered the most likely explanation, or are you so firmly entrenched in a CIA plot to monitor your every move (LOL) that it never occurred to you that every time you post a URL on facebook it tries to fetch a preview?

    • GoogleUser

      Dunkerson,

      I understand your quickness to jump to conclusions such as “oh, it’s most likely nothing” and “they’re just trying to protect us”… however, don’t you believe this is worth looking into and asking questions?

    • babyfarkmcgyzax

      Why would you need a website preview in the chat ?…

      • They grab a website preview so they can provide a thumbnail and page title.

        • babyfarkmcgyzax

          Yep i know that. But why would YOU need to have a title and a thumbnail in the chat ? I just want my link clickable, nothing more. And certainly not let them crawl all the content i share in private.

    • JoeRingMail

      FB doesn’t need to be “entrenched in a CIA plot”, B. DUMBkerson, Facebook second and by then MAJOR investment in 2005 ($12MM vs Theil’s first $500k) came from James Breyer, an owner of CIA-established InQtel.

      We can talk about conspiracy theories all day long, but go back into SEC documents, or even Breyer memorandums on it, and you find its not a secret who founded Facebook.

      Or go back post some more crap on your FB wall and leave grownups stuff to adults, buddy.

    • Andreas Baader

      Yes. That’s why I didn’t even mention reqeusts from facebook directly (visible in apache log)

    • god

      Nice try CIA sock puppet.

  • pbjellytoons

    I saw this post: https://news.ycombinator.com/item?id=9375461

    It makes me wonder, did you serve the URL /_temp/cork.png over HTTP or HTTPS?

    • Andreas Baader

      HTTP

      • Guest

        Is it possible that your upstream ISP is sniffing URLs?

  • Matt Kodama

    Hi Bosnadev – Recorded Future’s systems followed this URL after it was posted on a public site. Our system constantly explores links published on the web. We’ve checked our logs and confirmed that this is what happened in this specific case. It’s not related to any Facebook chat messages containing this link. Our system doesn’t access that information.

    • Andreas Baader

      I assure you it was not posted publicly by any of us. Newly created URL and link c/p to fb chat.

      • Matt Kodama

        Hi Andreas – I’m not saying it was posted publicly by you or someone in the Bosnadev team. Please contact me directly (matt at recordedfuture dot com) and I will share more details with you. I didn’t think dumping that info in the comment thread was appropriate, based on your blog post!

        • Matt Kodama

          Andreas – just tried to email you those details, but the message bounced. If you’d like to take a look, please give me a way to contact you. Or reply that it’s fine to post the info here in comments.

      • JC Sevcik

        Reporter with the Daily Dot here. I’m interested in covering this story and have some questions for you. Please email me (jcsevcik at dailydot dot com).

        • Lance Legel

          If you do publish something, please post a link back here.

      • vanbraekel

        http://pastebin.com/ukBvSKyw – Look at the timestamps. And no “Recorded Future” here, hence published before their fetch.

        • Vedran Alajbegovic

          I tried to replicate that, doesn’t work!

          • vanbraekel

            What I’m saying is that Recorded Future could find the “secret” URL, because somebody had already published a partial HTTP log on Pastebin that contained the URL.

          • Vedran Alajbegovic

            They could however, last night that happened one after another, now, everything stops??? WHY??? Keeping low profile??

          • vanbraekel

            This is really a no-brainer. Google the “secret” URL, make sure you click the option to show the “omitted” search result, look what search result is from before this article was published, and you will find an HTTP log, containing the “secret” URL, that was posted to pastebin.

        • Andreas Baader

          This paste is expired. That may be the source but we still can not reproduce a “crawl” from anyone else that came from a public paste on pastebin. We tried putting logs, just url, any other combo did not bring to anyone else visiting those url-s. I will gladly update the article when we are done with testing.

          • vanbraekel

            OK. Make sure you do the test with a “new” secret URL, because the crawler may look for new URLs and ignore URLs that have been crawled already.

          • Andreas Baader

            Yep, we’ll make a thorough inspection with all the variations and update the blog post.

          • Lance Legel

            Hi Andreas,

            Can you please disclose any conclusions? If you’re unable – for one reason, or another – to identify anything too concrete, can you at least comment?

            Thanks.

            Lance

        • TonyS

          Why has that been removed? It is funny, I am signing in with facebook to ask this question.

      • Guest

        Andreas, vanbraekel found a pastebin link that included your “secret” URL. One of your team members or automated tool paste it into pastebin site. Then, “recorded future,” found that post including the “secret” URL and tried to harvest it because it is in the open.

        Look at timestamps. Someone posts this log http://pastebin.com/ukBvSKyw with no mention to IP “recorded future”. Then harvest it Recorded Future after finding on pastebin, then you see it in your logs after. They come so long in log after original message because of delay when post to pastebin.

  • From a comment on the Hacker News thread (https://news.ycombinator.com/item?id=9375878):

    “Hi everyone. I work on the security team at Facebook. While investigating the claims of this post, we’ve confirmed that Facebook doesn’t use Recorded Future — an open source aggregator of public data — to scan any private content. That means we haven’t partnered with or directed Recorded Future to scan anyone’s message links.

    It’s hard to tell precisely what’s going on based on the amount of information in the post. It’s possible that another interaction, including one that could be occurring on the client machine, is consuming the URL and generating this behavior.

    We’ll update if any new information is discovered.”

    • James Birk

      This is absolutely true. The feds don’t need to use an outside “scanner”. They’ve already got the keys to the Facebook castle, and every single byte of data that exists within it is absolutely open for examination and aggregation from the inside, privately, and in such a way that you’ll never know it. (inasmuch as an fopen operation on a file handle is invisible to the network layer)

  • alana habda

    Good article. I will request all our network admins to block those ip ranges from RecordedF. On all firewalls routers websites etc.. good to know. thanks. More should completely block them.