Facebook claims Frost is phishing and blocks FB account

[visiongaming1]

Edit (Allan):

Resolution

Log out of Facebook & remove your device, update to v2.3.2, and log back in

Test build v2519 and Release build v2.3.2 are released with potential fixes

For more information, see the reddit post

For issues post v2.3.1, reply at #1522

---

Describe the bug Facebook describes Frost as an phising app that looks like the real facebook and try to steal your account.

Due to this I have to reset my account with new password and prove it is me. This have happened two times.

I do not use other apps/facebook services so this must be the app who triggers the facebook account reset.

Is it possible to trick FB into thinking that the app is a regular mobile browser? Maybe with user agent?

To Reproduce Steps to reproduce the behaviour: Happens randomly. Two times within the last 5 days of use. I have used the app for 6 months without any issues.

Details (please provide at least the app version):

• App Version: 2.3.1
• Device: Custom rom
• Android Version: Android 8.1

[AllanWang]

@adolfintel Devs aren't allowed to forward traffic to a specific site in a browser app (or something along those lines). Technically all third party Facebook apps violate this.

I can't track F-Droid installs but that is just a guess. I presume that there are far fewer F-Droid users than play store users, but I guess I don't actually know. I feel like Github releases is also an accurate representation since I wasn't on F-Droid in the beginning.

Edit: The specifics are found in this site:

https://play.google.com/about/spam-min-functionality/spam/#!?zippy_activeEl=webviews-affiliate#webviews-affiliate

(changed since the takedown).

to quote:

We don’t allow apps whose primary purpose is to drive affiliate traffic to a website or provide a webview of a website without permission from the website owner or administrator.

[gbakeman]

I'm not sure if it's helpful at this point, but I was just locked for the first time. Using in the United States, and hardly interacting with Facebook. It did ask me to identify a few comments I made through the app. I've been using 2.3.1.

[AllanWang]

@tgp1994 what did you do before it blocked you? And try the test builds from the pr linked to this issue

[gbakeman]

I think the last thing I did was comment on a post, but that may have been a day or so ago. I had just opened the app and next thing I knew, I saw the locked message. I'll start using 2512 and see what happens.

[AllanWang]

I'm starting to think the problem may be less related to user agents, as people use developer options all the time to spoof other devices for testing. It could be related to the js I inject, which is also the main difference between myself and other apps. If you just opened the app, it won't be related to the services like marking notifications as read, and I don't think parsing should be the problem for now either (though it is a candidate).

We can wait and see for 2512, and I will have another one built to add obfuscated tags as mentioned above

[AllanWang]

Added build 2515. Feel free to try that out if 2512 with web only doesn't work. 2512 does seem to fix it for some people already though, but Facebook might be checking things differently per location

[ArjenR]

Hi, I have been using 2512 for the past few days, but just got my account suspended. I think this happend today because I also used FB from Firefox on my desktop. The connection then comes from a different IP. This is also perhaps a cause, that you change Ip's on occasion. Also Frost due to the what the mobile provider changes the IP from where connections come from. I will switch to the latest build and see what happens.

[k-amin07]

+1 same issue here. Got locked out of my account for the third time now.

[osama-h-rana]

Locked out twice in the last week. I only use FB on desktop chrome (windows and mac), and on frost.

[tomasz245]

With 2.3.1 I was locked 3 times but not having issues with 2512 webview only (last 2 days), region EU, using Fb on Firefox, Facebook Lite and Messenger on the same device with notifications on Lineageos microg and a few desktops.

[nwrkbiz]

Ok, I can clearly reproduce the ban, when posting a comment. (The ban does not happen instantly)

[ishmumx]

Just got my account permanently banned. I have..........sources, and they told me Frost is specifically being targetted by them.

[AllanWang]

I don't see how you can Target a comment post though. That's just a webview action and should not be distinguishable from other apps or browsers beyond maybe user agent. But again, the user agent I use is from a real device.

I've also commented on something yesterday and have still not been banned (using 2.3.1)

[t0ma5]

using 2.3.1, banned twice same day after posting comments.

[IstvanKohany]

Well, during last week I've been banned around 15 times, for reasons stated above. Conditions varied, it was after publishing a comment or a post or adding a new friend, happend three times a day or once, totally unpredictable. Switching to Firefox with Facebook Container for now.

[AllanWang]

Okay I just got locked too from posting a comment yesterday. It's strange that web only mode would fix this, so my guess is that it's user agent related, since most people tried v2512

[homelab-00]

Same problem here. Multiple account locks in a very short amount of time while using Frost. Switching to the official facebook app fixed the issue immediately.

[rcmaehl]

Hi @AllanWang

Someone mentioned this issue on Reddit and while I don't currently use the Frost app, I would gladly test any builds you would like me to if you would like a clean user account slate to work off of.

Regards

[adolfintel]

@AllanWang I think @theopensourceguy is on the right track with the obfuscation idea, I haven't been blocked in several days.

[LoneFenris]

Probably nothing, but I do choose not to save the browser when I log in via Frost. Wondering if there's any commonality there.

On Thu, Aug 15, 2019, 8:28 AM Federico Dossena notifications@github.com wrote:

@AllanWang https://github.com/AllanWang I think @theopensourceguy https://github.com/theopensourceguy is on the right track with the obfuscation idea, I haven't been blocked in several days.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AllanWang/Frost-for-Facebook/issues/1504?email_source=notifications&email_token=AAG3PGHQL33BQ4FKZVRWAV3QEVDV5A5CNFSM4IJXSPV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4LVQIY#issuecomment-521623587, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG3PGHVR5YMGPVVEXCY5BDQEVDV5ANCNFSM4IJXSPVQ .

[AllanWang]

Make sure you test anything related to post requests as well. If obfuscation works, you can also try reverting the single user agent. Right now I'm pointing both mobile and desktop user agent to desktop user agent const.

[theopensourceguy]

@adolfintel @AllanWang Well, it seems the obfuscation alone is not the solution. I've been running a build based on 2.3.1 with just the obfuscation patch since Friday and haven't been locked out. Installed the exact same build on my girlfriend's device (same make and model as mine), and she got locked out today. Will inquire about her exact usage of the app. I've mainly been browsing the feed and replying to IMs (no posting, just the occasional comment). Maybe it is an overzealous AI, after all?

I'll continue testing with the build based on the native-toggle branch and report back if I find something new.

[AllanWang]

@theopensourceguy try just changing the user agent for your current build. Make sure both desktop and mobile remain constants that point to the desktop user agent.

[theopensourceguy]

Aaaand now it's happened to me again as well. What's weirdest about it is that I literally did nothing since last opening Frost (around 6 hours ago). I did not get a single notification or message (not just because of the forced logout, there were no new happenings on my account) and I didn't open the app again until 5 minutes ago. So take your guesses, Ladies and Gentlemen, we're back to (or, rather, still at) square one -.- I'm still on my modified 2.3.1 build here, with only the obfuscation patch added.

@AllanWang I will try your suggestion regarding the user agent/s on the weekend, when I have more time. Gonna start testing web-only mode as well and see if it'll happen again.

[TheFirstSkyforum]

Same issue. Seems more likely to happen when facebook site is slow to load. I've changed my password so many times now I've resorted to using profanity Facebook laced terms. Also nearly impossible to get past security screen on mobile. Frustrated.

[gothmog123]

First time in my life, i installed facebook messenger lite :(((

[AllanWang]

I've release v2.3.2 which contains fixes that seem to help most people. In short:

• Problem seems triggered by post requests, like posting a comment
• Problem might surface a day or two after the event, even if there is no other activity in between
• Causes seem to be changing user agent, as well as potentially Frost related tags in js code
• Latest builds are v2519 for test and v2.3.2 for release
• Optionally enable web only to disable pretty much all non js features in Frost.

I'm going to close this in a few days, but feel free to comment here if the update still doesn't work. This also means that testing the older test releases is no longer necessary

[fitittome]

v2.3.2 is looking good, I can't break it. I'm using it with Bromite Webview.

[AllanWang]

Okay. I think the problem is fixed then. Most of the findings are in the comment above, and I'll be looking through some of Facebook's code to see if js tags are actually relevant. Until then, I don't think Frost has been specifically targeted. I may have just been the only person to selectively change the user agent to enable more features

[riccardocovino]

Good work! Just one question: is it normal that f-droid repo is not updated?

[adolfintel]

@riccardocovino It's normal, it always takes a few days before updates are pushed through F-Droid

[AllanWang]

Build is currently failing and I don't know why. After that, it takes the few days to update

https://gitlab.com/fdroid/fdroiddata/merge_requests/5264

[TheFirstSkyforum]

I deleted the old version then installed the new one. It wouldn't install over the old one.

[riccardocovino]

Same for me, I downloaded the apk from github but install failed. That's why I looked for it on f-droid. Anyway, removed the old one and now it works.. but I chsnged so many times the fb account pwd that I do not remember the last one :D

Il dom 18 ago 2019, 09:01 TheFirstSkyforum notifications@github.com ha scritto:

I deleted the old version then installed the new one. It wouldn't install over the old one.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AllanWang/Frost-for-Facebook/issues/1504?email_source=notifications&email_token=ALZ3VIFBUHLV6JE7TX6OVZDQFDXT3A5CNFSM4IJXSPV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4QZ4HI#issuecomment-522296861, or mute the thread https://github.com/notifications/unsubscribe-auth/ALZ3VIHUAFUFHMNHBUXZEW3QFDXT3ANCNFSM4IJXSPVQ .

[AllanWang]

F-Droid and Github builds have the same package name but different signatures, so you must use one or the other. If you prefer to stay on F-Droid and want to install a temp one, you can always install the associated test build, which has a different build. F-Droid and Github have the same package because they are essentially the same, and you should only have one at a time to avoid confusion

[ishmumx]

Locked out again on 2.3.2

[adolfintel]

@UNlDAN were you already logged in when you installed 2.3.2?

[ishmumx]

No, uninstalled 2.3.1 then installed 2.3.2

Logged in, bam

2.3.1 did not encounter the issue

[dos1]

@UNlDAN This means you got locked out while logged in with 2.3.1. You won't notice being locked until you try to post something or log in afterwards.

[AllanWang]

@UNlDAN Yeah sounds like it. Safest way is to clear your saved devices from facebook, then try again. There shouldn't be anything in 2.3.2 that makes it more prone to bans than 2.3.1

[SeanyMCP]

I confirm issue here, and I'm running out of passwords :)

[AllanWang]

@SeanyMCP which version. This problem should be addressed in 2.3.2

[kowith337]

In that case if the targeting to specific app is true...

Try enter https://m.facebook.com/diagnostics and see what data in header will be sent to...

I expected the x-requested-with are expose the app nane, some webview browser like Lightning can give a choice for users to remove it, while Privacy Browser will remove it from the beginning...

[SeanyMCP]

@SeanyMCP which version. This problem should be addressed in 2.3.2 @AllanWang I am using 2.3.1 I will wait til the next version arrives on f-droid

[brunolpsousa]

I'm using the 2.3.2 release and still got my account locked after 3~4 days. Wasn't using any previously version before as I needed to format my phone for other reasons.

[AllanWang]

@N1vBruno I take it that even though it wasn't installed, you've used Frost previously? Can you make sure to remove your old saved devices before trying again?

[3drinks]

FWIW, using the most recent version straight from Github, and I just got the lock out again.

[brunolpsousa]

@AllanWang I was locked about two weeks ago, but I didn't related it to Frost at the time. After this lock today it doesn't show any devices logged in besides my browser, so I presume it automatically logs out any devices connected, and I'm not sure if I logged back in the old Frost release after the first lock. But I'm talking about the "Where You're Logged In" list, I never save any devices in my account. @3drinks Did you have done what @AllanWang suggested above and removed any old devices from your account before login in Frost 2.3.2? If not I may try Frost again later.

[3drinks]

@N1vBruno - only devices on my FB is my PC (firefox, Solus distro), and my mobile (s8+, Frost, which is read as "Chrome on Windows" as expected).

[shernandezsantana]

Actually, in my case the new version 2.3.2 with the setting web only from the development options works like a charm. Not a problem, whatsoever. But I right away activated web only, after login.