Facebook claims Frost is phishing and blocks FB account

[visiongaming1]

Edit (Allan):

Resolution

Log out of Facebook & remove your device, update to v2.3.2, and log back in

Test build v2519 and Release build v2.3.2 are released with potential fixes

For more information, see the reddit post

For issues post v2.3.1, reply at #1522

---

Describe the bug Facebook describes Frost as an phising app that looks like the real facebook and try to steal your account.

Due to this I have to reset my account with new password and prove it is me. This have happened two times.

I do not use other apps/facebook services so this must be the app who triggers the facebook account reset.

Is it possible to trick FB into thinking that the app is a regular mobile browser? Maybe with user agent?

To Reproduce Steps to reproduce the behaviour: Happens randomly. Two times within the last 5 days of use. I have used the app for 6 months without any issues.

Details (please provide at least the app version):

• App Version: 2.3.1
• Device: Custom rom
• Android Version: Android 8.1

[AllanWang]

What is your use case? How frequently do you use it, what happened when the warning occurred, etc, and have you tried the test builds?

[adolfintel]

I'm using stock Lineage WebView (Chromium) because Bromite WebView gets wiped at every update.

[t0ma5]

I'm getting this prob too. Can I just throw this out there? I'm using the Bromite replacement Webview. I was wondering if this maybe a common factor?

I use bromite webview in one phone and I didn't face this issue at all yet. With the other phone using Chromium stock LineageOS I did have the issue :) nothing makes sense apparently

In one phone I have official Messenger Lite installed (no issues with Frost yet) In the other phone I have only Frost installed (issues)

[LoneFenris]

@AllanWang I tend to use both notifications and messages. I was using Frost pretty often before it locked as I was unable to use my computer for several days.

EDIT: Oh, and no, I haven't used the test builds as I haven't used Frost since the second time it locked for me.

I doubt this means anything, but I think both instances of my account locking happened around the time I went to post a status via Frost -- something I don't do very often. Still could easily be coincidental.

[dos1]

Just wanted to add that it happens to me as well since a few days. LineageOS 14.1 with Google WebView, EU.

[ArjenR]

Ugh happened again with v2509

Will switch to v2512 and reset my password and see if this keeps working for me.

[nwrkbiz]

Happened again. This time I was only lurking. Region is Europe/Austria.

[theopensourceguy]

Thought I'd add to the survey:

• Frost 2.3.1 (F-Droid). I'll also try the updated build and report back if anything changes.
• Region: Europe/Germany
• using Bromite Webview
• no Google Services installed, running microG (I doubt that it matters, but for completeness' sake...)
• Usage: Frost mostly runs in the background to notify me when I get a message. I usually click on the (native) notification to open the conversation directly. Normal FB notifications are disabled. Maybe it's also to do with the polling interval? I have it set to the minimum of 15 minutes. Will try to use longer intervals and see if the problem persists.

Account was locked 5 times within the last week, each time i had to "verify my identity" and some (but strangely not all) of those times I was forced to change my (uncompromised) password. Also tried using 2FA and verifying the device as "trusted", but to no avail...

Edit: I should also mention, the first time I was locked out I was supposed to review some "suspicious" comments that were apparently the reason for the lockout. Turns out, those two comments were weeks old and I posted them from a web browser on my pc, too. So that has me even more confused.

[GibberMeJenks]

Not sure if this helps for research purposes, but I always use Firefox in Private Browsing mode on my desktop when accessing Facebook and never save my browser or login.

I also have notifications for logins sent to me that always mentions unusual logins. Facebook also always asks me to confirm if this was me but I never go to confirm the logins unless I know for sure it wasn't me.

The above never triggered the account locks. It only started happening mid last month when using Frost. I never logout of Frost on my phone and mainly use it for messaging, browsing news-feed, checking notifications, and occasionally posting comments.

Unfortunately I haven't had time to test the new builds, but will report back when I do!

[AllanWang]

Are all of you affected in Europe? We still haven't really pinpointed the common use case that triggers this

[livingsilver94]

My girlfriend and I are in Europe and she got the issue (I myself don't have Frost installed).

[AllanWang]

I think I still need more info on usage for the newer builds, and for other third party apps/the mobile browser. I don't see how my build can differ from other options with everything disabled, and if it's a matter of css/js injection, then there won't be a point in using Frost.

It does also seem like this problem is isolated for Europe, so it's hard for me to debug it (hard enough for anyone to debug with little information)

[3drinks]

I am north America (west coast), using Frost v2.3.1 from github, and I am experiencing the issue too.

[LoneFenris]

Not just Europe. USA here. Though, again, I haven't tried the test build.

[theopensourceguy]

Feel free to ignore or delete this comment if it's too off-topic, but: How exactly would FB be able to detect JS/CSS injections? As far as my understanding of HTTP goes, the server can't know what happens to a HTML document once it sends it to the client. Am I missing something here? (Side-note: I'm not a web developer, I only have basic understanding about most web technologies)

[visiongaming1]

I have done some testing and have been blocked again (same OS and app version).

I have only been lurking since the last block. The steps I did:

• post in a private event
• wait 2-3 minutes
• relaod FB feed - nothing happens
• relod notifications tab - immediately get logged out of Fost
• log in again - get blocked from FB
• FB ask me to create new password and delete posts made with Frost
• It is possible to re-activate the account through Frost even through the app is claimed to be phishing.

This is the third time I have been blocked. The first two times I got blocked, I wrote a poste the same day of the block. Similar to this block I was asked to delete posts made with Frost.

It seems like the block is triggered by creating posts. I live in the EU if it matters. I have the FB messenger lite app installed.

[3drinks]

That sounds like it's the notifications fetching thatz triggering it, actually.

[t0ma5]

It seems like the block is triggered by creating posts.

I never post on Facebook, never made a post with FROST and yet I have faced this issue (once till now).

[visiongaming1]

@3drinks it could be but for the last couple of days I have manually refreshed the notification tab without issues.

[visiongaming1]

well then I do not know the reason.

[t0ma5]

I think it must be more than just 1 trigger.

[riccardocovino]

Same problem, Italy. Account blocked 3 times in 4 days. No Fb installed on the smartphone, only Frost. I wonder if similar apps (FaceSlim, MaterialFacebook, Faceslim..) have same issue or not

[t0ma5]

@riccardocovino I just checked latest comments from Play Store for "Friendly" and "Swipe", both facebook wrappers very similar to Frost that I used to use. No comments concerning this issue but "Friendly" users complain about issues with notifications.

[LoneFenris]

@riccardocovino FaceSlim and MaterialFBook don't seem to have issues filed for this. They're also not the most active projects at the moment, either, though.

[riccardocovino]

Thanks @t0ma5 and @LoneFenris, so it seems this happens only with Frost

[t0ma5]

@riccardocovino I just checked latest comments from Play Store for "Friendly" and "Swipe", both facebook wrappers very similar to Frost that I used to use. No comments concerning this issue but "Friendly" users complain about issues with notifications.

@riccardocovino Just in case I went to check comments on two more popular (paid) FB wrappers on Google Play: Maki and Simple Pro Since they are paid wrappers I assume users report problems more often?

Users from Simple Pro also complain about problems with notifications, same as with Friendly.. They said notifications remain unseen even though they checked them already... maybe a clue about the trigger? @AllanWang

[rsonick]

Happened twice for me in the past 4 days immediately after making a post and then manually refreshing notifications a couple times.

US by the way, so doesn't seem to be a region thing based on other people's comments.

[AllanWang]

@t0ma5 Marking notifications as read as a sub service that I made, and it involves fetching your fb auth id (from your home page) and then making a call with it. Enabling web only mode will disable it though, in case that's the problem.

---

I will make another build that disables js and css later. At that point the project will pretty much be just a browser

[AllanWang]

@theopensourceguy

I add window flags per injection to ensure that I don't load the same script multiple times. The project is open so anyone can see the flags and just check if they exist

[diaasami]

Facing the issue, got my account blocked 4-5 times so far. In Europe as well, problem started happening about a 3-4 weeks ago. I use only feed and notifications, rarely posting, occasionally commenting. Haven't tried the special build.

[jayiduhn]

Happened to me a about 3-4 times in the past 2 weeks. I'm in Australia.

[deanaba]

I am having the issue as well. I initially thought it might be because I had two accounts configured, so I stopped.logging into one of the accounts via frost, but it just made me change my primary account pw again. It seems to make.me change.passwords roughly twice per week. Been happening not quite about a month now.

[nwrkbiz]

I tried really hard to find a reproducable way for this issue, but it seemlingly happens randomly.

My guess is they are using some kind of AI to detect anomalies based on multible factors. When a ban happens, there is always the possibility to report back, that they made an mistake. Let's use this feedback option, maybe it helps 🤷‍♂️

[Babwin]

OK, I no longer have the issue with version v2512. With the web only option... Don't know if that statement help, what do you need us to do now.

[shernandezsantana]

I also have the same issue

[deanaba]

I just saw the Allan's questions to the community: I am currently on Android 9, but this started last month when I was still on Android 6. I switch user agents only in so much as I switch devices. There are several mobile and desktops I switch between. (home, work, etc). My primary is my android 9 device (security patched up to July '19), every google service that can be turned off has been disabled, (no chrome, no google assistant, no maps, or play services etc.) I am in USA, Northeast. I do check notifications manually if they are present. I post once every couple of days, like and comment daily. Thinking about my usage, I want to beleive I'm getting flagged because I switch devices so frequently. What's strange is (like everyone else) the blocks are not occurring consistently, I can jump all over the place for several days, and nothing. Then post, refresh the timeline a few minutes later on the same device, same session (no log out/in, or even killing the app process) and then I get locked out. I after the 3rd or 4th time this happened a couple of weeks ago, I did reach out to FB support and did so again before I started commenting here. I've not received a response yet. (BTW, Allan, whether this issue can be resolved or not, Frost is a great app, thank you for all your hard work on it!)

[MarcKe]

I've been using v2512 with web only and so far the problem has not occured again. Let's see.

[theopensourceguy]

@AllanWang I've done some digging in the "JS injection detection"-direction. First thing I did was to change the prefix of the tag that gets injected into the window DOM from "_frost_" to literally anything else ("_notfacebook_") and it seems to work. With my standard usage pattern (even intensified for testing), I have not been locked out again for the last 36h. In the meantime I've also devised a slightly more sophisticated obfuscation mechanism (though it's still not very elegant, I think), for which I'll create a PR shortly (edit: #1512)

As I'm relatively new to the source code it's hard for me to tell: does the web-only toggle also disable the JS injections? If it does, my theory would align with the 2512 build working for others. I believe this option may actually be worth exploring.

[AllanWang]

@adolfintel do you want to try that build form source to see if that works?

For those affected, maybe you can have a look at touch.facebook.com's source js and look for the word frost. I'd be pretty surprised if they just banned me specifically, since I'm not even on the play store.

[adolfintel]

I will try it right away. If facebook is detecting frost specifically, they are some serious assholes.

[3drinks]

@adolfintel I wouldn't be entirely surprised - we're taking away their revenue stream (targeted ads), and getting around a lot of their other crap.

[adolfintel]

If that's the case, we need to obfuscate the crap out of the JS and CSS that we inject. We need to make denuvo look like a joke. Let's see them deal with that :laughing:

[t0ma5]

@adolfintel there are many wrappers in the Play Store that block ads too. Why would the target Frost particularly?

[adolfintel]

I don't know, maybe it's the most popular one, or at least it's the best one, the others are little more than WebView wrappers. And who knows, maybe they targeted the others too.

[AllanWang]

I can tell you now that Frost is definitely not the most popular. Before I got taken down, I had over 100k installs on the play store. I sort of doubt the installation count for Frost now is more than 30k from F-Droid. Github releases have a couple thousand per release at best

[adolfintel]

What excuse did google use to take it down? Also, how do you keep track of F-Droid installs?

[t0ma5]

There are some fine wrappers on the play store, I have tried them all (best ones are paid of course, I don't want to advertise names here).. they also block ads, why google didn't ban them too? I stick to FROST cause it's open source :)

[abhishekabhi789]

In the fb active sessions, frost is seen as a session from windows PC, so if you adopt some codes from Mozilla/lite , will they able to distinguish b/w frost and mozilla?

[adolfintel]

@abhishekabhi789 actually Frost appears as Chrome from Android

[AllanWang]

@abhishekabhi789 @adolfintel I think it depends on the backing webview. Desktop user agent is used for pages like messages that would otherwise be disabled on mobile. The latest test build is desktop only so that may be why. Typically, it's your original user agent so you don't confuse it