"My friend is into crypto sh$t and he messaged me saying to check out his story (already weird but whatever) and he posted that this lady turned his $500 into $8500. It was a legit video of him speaking, walking down the street. Anyway I messaged the chick and she told me to download this app and I signed up and it made me scan my ID and my face which I thought was wack again but trusted my buddy… So i end up sending this chick $200 in bitcoin like a f%c^in idiot, but then shes trying to say I need to send another $300 to be able to actually ‘process’ and I was like uhhhh nope? Now ‘she’ is trying to get me to do some two factor authentication confirmation code shit to ‘get my payout’. What I think is going on is they got into my friends account and made a deepfake from the face scan and started DMing other people. "
It’s generally not a good idea to clearly “wink wink” indicate how to abuse an endpoint, since that abuse can be easily interpreted under various criminal laws as malicious and worthy of prosecution. You could protect yourself against such accusations with more neutral language, starting with rewording the “litter” sentence.
This title provided by the OP is intentionally misleading and taken from a quote by Roger McNamee.
There are other platforms out there (liveleak and worldstarhiphop for example) that it only takes a minute or less to reach extreme content. If Facebook really desired what the OP suggested, assumed by Roger McNamee to push ad revenue by engagement then that’s exactly the first video one would see when logging in Facebook. The first video I see is always some shallow inspirational video by an “influencer” or a Buzz feed video on cooking.
Dang, I’d rather at least the original title be used so that anyone reading the article can reach their own conclusion and then bring whatever fire and brimstone need be.
I mean it makes sense. If he can get account access or remote execution, that's a lot of money. Unless the hacker is already pretty well off and doesn't need it, it's probably not worth the publicity stunt.
The nuances for what a "3rd party entity" vs a "3rd party app" represents in Facebook is really what's at hand here. Anyone who spent time in Facebook developer platform knows this.
NYT's watered down article for the lowest denominator and maximum clicks (imo) vs Facebook's way too technical explanation for the maximum PR defense. None of this is going to help US/EU/World lawmakers understand the permission scope that was set in Graph API for hardware vendors.
It will take anyone with an HTTP listener Charles, Burp, Cycript whatever your choice... 5 minutes to see where and how the access token was used.
If only we were discussing the data and HTTP requests and not the way reporters and PR play with words to fit their agendas.
You have to set up any of those apps and use the provided proxy in your browser. Now when you visit some site you can take a look at which site is using the token saved by fb in your last visit. That is the gist of it.
for (;;);{"__ar":1,"payload":{"video_id":"11111111111111","start_offset":0,"end_offset":353662,"skip_upload":false},"bootloadable":{},"ixData":{},"gkxData":{},"lid":"1"}
The video 11111111111111 is now in an "unpublished" state.
"unpublished" here meaning it's uploaded to Facebook but not linked to a post yet.
You can verify this by taking that ID and doing the following
Your options now are to either discard the post or publish with a privacy setting which will make the link above available.
(Notice I didn't say discard the video, the video is still in an unpublished state)
Now for the archive.
You can verify by going to view-source:fb.com/me in a browser
Search for the string "access_token" there will be a long string appended. (e.g. access_token:"EAAAAU...)
With that token go to your archive and roll over one of the links in the video section that has an issue and doesn't appear in the activity log.
That shows an unpublished video for me, it wouldn't show in your activity log (that's the only part of the story I can agree and can confirm with what I have available)
The next part would be to verify that the video is deleted from the archive. Since Facebook is still giving me the first download zip, I guess I'll have to wait a while (it's 1 am here so I'm heading to bed) until it resets so I can make it build a new archive and confirm the hunch.
This is just my guess, I'm NOT discounting what the Facebook user encountered. I'm just providing a possible background to how it can happen as well as a solution to deleting the "deleted" video. There is also the chance I might be wrong...
References to confirm for yourself.
developers.facebook.com/docs/graph-api/reference/video
Disclosure: I don't work for Facebook, however, I do play with their API a bit.
Before this reaches a level rehashing the old "sell it on the blackmarket", I would like to clarify an issue here.
The policy change that occurred for Sean (the person the OP is using for his argument) was that Uber had clarified a change, without any clear notification. I blame the HackerOne Platform here, there is no way to send a notice of scope unless the program owner manually appends it at the top (in the case of yahoo https://hackerone.com/yahoo)
From that article: "Paper is the first product from Facebook Creative Labs, where we’re crafting new apps to support the diverse ways people want to connect and share." -> Put things a bit in perspective for me.
Essentially it's social engineering via a face scan app.
You can see an example of a possible scammer here https://www.instagram.com/sashana_walter/
"My friend is into crypto sh$t and he messaged me saying to check out his story (already weird but whatever) and he posted that this lady turned his $500 into $8500. It was a legit video of him speaking, walking down the street. Anyway I messaged the chick and she told me to download this app and I signed up and it made me scan my ID and my face which I thought was wack again but trusted my buddy… So i end up sending this chick $200 in bitcoin like a f%c^in idiot, but then shes trying to say I need to send another $300 to be able to actually ‘process’ and I was like uhhhh nope? Now ‘she’ is trying to get me to do some two factor authentication confirmation code shit to ‘get my payout’. What I think is going on is they got into my friends account and made a deepfake from the face scan and started DMing other people. "