Facebook claims Frost is phishing and blocks FB account

[visiongaming1]

Edit (Allan):

Resolution

Log out of Facebook & remove your device, update to v2.3.2, and log back in

Test build v2519 and Release build v2.3.2 are released with potential fixes

For more information, see the reddit post

For issues post v2.3.1, reply at #1522

---

Describe the bug Facebook describes Frost as an phising app that looks like the real facebook and try to steal your account.

Due to this I have to reset my account with new password and prove it is me. This have happened two times.

I do not use other apps/facebook services so this must be the app who triggers the facebook account reset.

Is it possible to trick FB into thinking that the app is a regular mobile browser? Maybe with user agent?

To Reproduce Steps to reproduce the behaviour: Happens randomly. Two times within the last 5 days of use. I have used the app for 6 months without any issues.

Details (please provide at least the app version):

• App Version: 2.3.1
• Device: Custom rom
• Android Version: Android 8.1

[adolfintel]

Can confirm. Both me and my friends got our accounts blocked with the same message.

[AllanWang]

There might be some correlation, but unfortunately there is no way for me to verify, as it hasn't happened to me yet and reports are still low (under 5 people out of thousands).

It could be that Facebook has other checks around the world as well. Do you mind also posting a screenshot of the phishing message? I've never seen that one specifically, but I can look into it.

Most of Frost is just a web browser. If you want to experiment, disable notifications and don't use the notification panel (native) for now. Notifications will use your cookie to fetch a web page, which isn't abnormal. Using the notification panel will attempt to mark it as read, which is a bit more work.

I'm not convinced that user agent has much to do with phishing, and if it did we should all be having problems. It is a goal to make it customizable in the future though (#1357)

Do you also see any consistent behaviour as to when you get the message? If it right at login, or when you look at a newsfeed etc

[adolfintel]

Here's what it looks like

Maybe you could spoof the user agent so it won't be as easy to detect frost.

[visiongaming1]

@AllanWang I got the same message as adolfintel.

First time my account got locked while logging in at the desktop browser. Next time I got locked while opening the frost app (think I opened a notification).

I fear that at some point they will close or ban my account.

Well not that I think that the user agent makes FB think Frost is a phishing app. I was thinking that if it was possible to make the app look like a regual browser they will not notice that I am not using the default app.

I will try to change the user agent when it is possible.

[AllanWang]

I don't see how user agent relates to phishing though, given that Frost uses a valid user agent from a real device. I'd say just lay off of Frost for now. If you are getting locked even with your browser, perhaps you are actually getting phished.

[AllanWang]

I'm more under the belief that suspicious activity could involve services to mark your notifications as read, or fetching notifications in general. In that case you should turn those off and try out just the feed for a while. I will consider adding a toggle to disable those features in the future

[visiongaming1]

Then it will prob not be any help. Thanks for the advice I will try to figure out if I am getting phished but I doubt it. I only log in at the browser and Frost.

[J0eP0tat0]

This has happened to me as well in the last couple weeks. I use Frost on my s9 and my tab s3 and desktop browser.

[GibberMeJenks]

I made an account specifically to comment on this issue. I've also had to change my password and verify my account twice since updating to the latest version of Frost last month.

Folks over at XDA are also commenting on this same issue here near the bottom of this page: https://forum.xda-developers.com/android/apps-games/app-frost-facebook-t3685896/page78

I think this can be considered a verified issue...Unfortunately I can't use Frost until a fix is in place. Someone over at XDA suggested to download the official Facebook app then use Frost but I rather not since the official app has way too many permissions.

I only use Facebook on my desktop and through the Frost app. I also added my device as trusted. This fixes the problem for about 3 weeks before Facebook locks your account again.

Specifically, I got this notification here when logging in that said:

"Our system found that your Facebook password might match one stolen from another site. Don't worry - you can keep your account secure by changing your password now".

I have login notifications sent to me as well and all have been verified as me.

[AllanWang]

Yeah XDA email notifications rarely work for me so I didn't see those comments. I guess Facebook did something recently.

I can attempt to push fixes here and there, but as I have no idea what the cause is, I can't guarantee it will work.

I could try stripping away features to see what causes it. Removing a fixed user agent for instance would mean that you can't view messages.

[GibberMeJenks]

To give more info, I was using v2.2.4 for a while and this issue was not present. I updated to v2.3.1 roughly a month ago when this started happening. Facebook may have updated their security too which may be causing this, but it's odd since I specifically added my device through Frost as an authorized login.

Thank you by the way for all the work you have been doing to the app. Frost is the only app I found that allows you to use messaging and other great features without the official permission intrusive messenger app.

[AllanWang]

If you'd like, you can revert back, though I don't think the changes between 2.2.4 and 2.3.1 would affect Frost to this degree. Most of them were internal, and I haven't had any major changes with how I interact with Facebook for a while

[3drinks]

I came here to say the same thing and to my surprise I see it's a bigger issue than I thought. I'm still using the version from the github and thought maybe that was it as the F-Droid version never did this. But seeing this many people, I'm positive now that it's related to FB increasing security - much the same way as Twitter is overly protective of their API.

[AllanWang]

I'll be making a new build soon to restrict most of the features for people to try out

[adolfintel]

I wonder if the issue could be caused by the fact that frost injects JS and CSS into the page. Is that even possible to detect?

[AllanWang]

You can detect it, but if that is the problem then most of the third party apps won't work

[AllanWang]

For those in this thread, try out https://github.com/AllanWang/Frost-for-Facebook/pull/1505

and enable web only mode (settings > behaviour). Feel free to comment here or in that PR

[nwrkbiz]

I think facebook somehow detects, that frost is not a webbrowser, because everytime this happens to me they ask me to revert my last facebook interactions. It seems like their system thinks we are bots.

[gbakeman]

I use Frost daily and haven't had my account locked yet, although using Facebook for me means mostly lurking, leaving a comment or post very infrequently, and sometimes sending direct messages. However, someone in my family who uses Facebook much more in Frost has had their account locked three or four times so far. I'm guessing interacting with Facebook through Frost has something to do with this security trigger?

[AllanWang]

Can those who are getting blocked elaborate on their usage?

Potential candidates are:

• Frequent user agent switches - messages and a few other pages require an older agent, so if you go between messages and the main feed a lot, the agent will switch quite frequently
• Specialized auth requests - if you click notifications a lot (from native UI/notification, not from the web page), I will mark it as read on your behalf. This takes a bit of effort to do
• Parsing - if you use notifications at all or the menu item frequently, parsing will occur. Probably isn't the issue or most people would be affected.

I tend to lurk in general as well, which is why I don't think parsing is the problem. I use messenger so I don't have user agent switches, and I don't often click on notifications.

---

If enabling web mode in the latest build still doesn't fix the issue, then perhaps it is due to user agent switches

[adolfintel]

Frequent user agent switches

I do check messages once or twice a day

Specialized auth requests

I have notifications disabled so probably not

Parsing

I have notifications disabled, and rarely check the menu item.

I also tend to just lurk for a few minutes every day, looking at meme pages and replying to messages from people too stubborn to install telegram.

I think you might be on the right track about that user agent switching thing, if the same cookie is used with 2 different user agents, that could be very suspicious indeed.

[AllanWang]

I can make a new build with just one user agent, but that's going to cause a lot of problems down the road. No single user agent will be able to provide all facebook features

[adolfintel]

It's worth trying. I don't know how to trigger the account blocking though, it happened once to me and all my friends using frost in the last ~7 days but now it's not doing it anymore.

[AllanWang]

New build in linked PR with hardcoded user agent. It is still building now (should be done in 5 min) but I'll be going to sleep.

[ArjenR]

With Frost-test I received one alert by email from Facebook to review and confirm that the login was actually me. I also got a verification contact questionnaire in Frost, the same as for password recovery, to again prove I was a legit user.

I do use Frost for messages. Would really dislike to use messenger for that.

[t0ma5]

I confirm that it happened to me today

[Clickau]

Happened to me 3 times already, the first being i think almost 2 weeks ago. I don't use the messages inside frost, because i use fb messenger, but i do use the notifications frequently.

[t0ma5]

I don't think it has something to do with notifications because I have never used them. Always innactive in settings. I do use the messages inside FROST

[adolfintel]

Reminds me of the AARD code, facebook is spreading the finest FUD

[3drinks]

I use it all, notifications, direct messages, timeline posts, the works because I removed the native FB and messenger app from my device. As I recall this never happened until the most recent Frost update which removed the attempted messenger redirect, so I'm inclined to believe that's the cause of this issue.

Perhaps we need a Frost for FB and a separate Frost for Messenger app?

[adamzea]

I got the Facebook Phishing block twice in the past week too. I don't use Messages, but I do use notifications. Only recently installed Frost for Facebook too and was loving it until this happened twice.

[nwrkbiz]

https://github.com/AllanWang/Frost-for-Facebook/issues/1504#issuecomment-519363321

Maybe it would be possible to parse the messages from facebook without switching the user agent by using: mbasic.facebook.com

[t0ma5]

#1504 (comment)

Maybe it would be possible to parse the messages from facebook without switching the user agent by using: mbasic.facebook.com

there are a few Facebook wrappers already doing that, but it looks super ugly :(

[hejops]

#1504 (comment) Maybe it would be possible to parse the messages from facebook without switching the user agent by using: mbasic.facebook.com

there are a few Facebook wrappers already doing that, but it looks super ugly :(

Tbh I've always liked that mbasic design. Would be nice if this could be an option. (maybe I'll file a separate issue on this)

[ofrinevo]

On the same boat- 4th or 5th time right now. I don't use the messages too much. I do scroll over it to get to the notifications, but don't use it too often. Maybe once in a few days. I don't have notifications enabled.

In the process of changing the password, it asks me to check on my latest comments on FB. The first time it had a comment, which I deleted (it was mine but I deleted it anyway). Since than, and because I deleted the "flagged" comment, it just shows my this view:

[adolfintel]

It happened again, even with the new commits from Allan

[AllanWang]

Which build? Did you enable web only?

What were you doing when it locked you? (Feed, comment, message, etc)

[adolfintel]

I built #1505 from source. Yes, I enabled web only.

I was not using facebook when it happened, I logged in this morning and the account was locked.

[AllanWang]

I'm confused then. Only a single user agent is used and no background executions should have happened. Perhaps if you had an old log in, the registered user agent is different, but if you log in from the new build then everything would be the same

[adolfintel]

Could be.

I'll tell you what, I'll try to contact facebook support and ask them about the issue. I'll pretend to be just a regular user that uses facebook from a browser

[hkzlab]

This is happening to me too. Third time in two weeks. I'm using Facebook via frost only. I never used Facebook messages, I just shared and liked posts since the last time I was blocked, I also never commented.

[antoineVerlant]

Hello, Just to say I had the same problem. Don't know if this change the Facebook behavior/policies but I live in EU. I just switched to v2512, Will keep you inform of the status.

I don't know how this work, so I may think stupidly. Do we all use the version from F-Droid, is this possible that the binaries as been maliciously replaced ? (I have no clue).

A side this, I want to thank you @AllanWang For the amazing job you did. This is the very best Facebook app I have been using. Big Thanks

[hkzlab]

@antoineVerlant yeah, using the FDroid version 2.3.1

[adolfintel]

@antoineVerlant F-Droid is not compromised, I was using my own fork of frost when it happened

[AllanWang]

Perhaps we need to do a final verification where people switch to the single user agent build and make sure they log in from there too. But otherwise it sounds like the culprit may be css/js injections, and in that case the app would be pretty useless without it.

On the other note, if people find that older versions of the app are working, perhaps I can look into that

[fitittome]

I'm getting this prob too. Can I just throw this out there? I'm using the Bromite replacement Webview. I was wondering if this maybe a common factor?

[3drinks]

Just got it again tonight.

[hkzlab]

@fittome Indeed, I do use bromite webview in one of the phones where I was logged in with frost

[AllanWang]

What about everyone else? I wonder if this is region specific too, as I still haven't encountered this.

[LoneFenris]

No Bromite here, but it has happened to me.