-
-
Notifications
You must be signed in to change notification settings - Fork 85
Facebook claims Frost is phishing and blocks FB account #1504
Comments
Can confirm. Both me and my friends got our accounts blocked with the same message. |
There might be some correlation, but unfortunately there is no way for me to verify, as it hasn't happened to me yet and reports are still low (under 5 people out of thousands). It could be that Facebook has other checks around the world as well. Do you mind also posting a screenshot of the phishing message? I've never seen that one specifically, but I can look into it. Most of Frost is just a web browser. If you want to experiment, disable notifications and don't use the notification panel (native) for now. Notifications will use your cookie to fetch a web page, which isn't abnormal. Using the notification panel will attempt to mark it as read, which is a bit more work. I'm not convinced that user agent has much to do with phishing, and if it did we should all be having problems. It is a goal to make it customizable in the future though (#1357) Do you also see any consistent behaviour as to when you get the message? If it right at login, or when you look at a newsfeed etc |
@AllanWang I got the same message as adolfintel. First time my account got locked while logging in at the desktop browser. I fear that at some point they will close or ban my account. Well not that I think that the user agent makes FB think Frost is a phishing app. I was thinking that if it was possible to make the app look like a regual browser they will not notice that I am not using the default app. I will try to change the user agent when it is possible. |
I don't see how user agent relates to phishing though, given that Frost uses a valid user agent from a real device. I'd say just lay off of Frost for now. If you are getting locked even with your browser, perhaps you are actually getting phished. |
I'm more under the belief that suspicious activity could involve services to mark your notifications as read, or fetching notifications in general. In that case you should turn those off and try out just the feed for a while. I will consider adding a toggle to disable those features in the future |
Then it will prob not be any help. Thanks for the advice I will try to figure out if I am getting phished but I doubt it. I only log in at the browser and Frost. |
This has happened to me as well in the last couple weeks. I use Frost on my s9 and my tab s3 and desktop browser. |
I made an account specifically to comment on this issue. I've also had to change my password and verify my account twice since updating to the latest version of Frost last month. Folks over at XDA are also commenting on this same issue here near the bottom of this page: https://forum.xda-developers.com/android/apps-games/app-frost-facebook-t3685896/page78 I think this can be considered a verified issue...Unfortunately I can't use Frost until a fix is in place. Someone over at XDA suggested to download the official Facebook app then use Frost but I rather not since the official app has way too many permissions. I only use Facebook on my desktop and through the Frost app. I also added my device as trusted. This fixes the problem for about 3 weeks before Facebook locks your account again. Specifically, I got this notification here when logging in that said: "Our system found that your Facebook password might match one stolen from another site. Don't worry - you can keep your account secure by changing your password now". I have login notifications sent to me as well and all have been verified as me. |
Yeah XDA email notifications rarely work for me so I didn't see those comments. I guess Facebook did something recently. I can attempt to push fixes here and there, but as I have no idea what the cause is, I can't guarantee it will work. I could try stripping away features to see what causes it. Removing a fixed user agent for instance would mean that you can't view messages. |
To give more info, I was using v2.2.4 for a while and this issue was not present. I updated to v2.3.1 roughly a month ago when this started happening. Facebook may have updated their security too which may be causing this, but it's odd since I specifically added my device through Frost as an authorized login. Thank you by the way for all the work you have been doing to the app. Frost is the only app I found that allows you to use messaging and other great features without the official permission intrusive messenger app. |
If you'd like, you can revert back, though I don't think the changes between 2.2.4 and 2.3.1 would affect Frost to this degree. Most of them were internal, and I haven't had any major changes with how I interact with Facebook for a while |
I came here to say the same thing and to my surprise I see it's a bigger issue than I thought. I'm still using the version from the github and thought maybe that was it as the F-Droid version never did this. But seeing this many people, I'm positive now that it's related to FB increasing security - much the same way as Twitter is overly protective of their API. |
I'll be making a new build soon to restrict most of the features for people to try out |
I wonder if the issue could be caused by the fact that frost injects JS and CSS into the page. Is that even possible to detect? |
You can detect it, but if that is the problem then most of the third party apps won't work |
For those in this thread, try out #1505 and enable web only mode (settings > behaviour). Feel free to comment here or in that PR |
I think facebook somehow detects, that frost is not a webbrowser, because everytime this happens to me they ask me to revert my last facebook interactions. It seems like their system thinks we are bots. |
I use Frost daily and haven't had my account locked yet, although using Facebook for me means mostly lurking, leaving a comment or post very infrequently, and sometimes sending direct messages. However, someone in my family who uses Facebook much more in Frost has had their account locked three or four times so far. I'm guessing interacting with Facebook through Frost has something to do with this security trigger? |
Can those who are getting blocked elaborate on their usage? Potential candidates are:
I tend to lurk in general as well, which is why I don't think parsing is the problem. I use messenger so I don't have user agent switches, and I don't often click on notifications. If enabling web mode in the latest build still doesn't fix the issue, then perhaps it is due to user agent switches |
I do check messages once or twice a day
I have notifications disabled so probably not
I have notifications disabled, and rarely check the menu item. I also tend to just lurk for a few minutes every day, looking at meme pages and replying to messages from people too stubborn to install telegram. I think you might be on the right track about that user agent switching thing, if the same cookie is used with 2 different user agents, that could be very suspicious indeed. |
@UNlDAN were you already logged in when you installed 2.3.2? |
No, uninstalled 2.3.1 then installed 2.3.2 Logged in, bam 2.3.1 did not encounter the issue |
@UNlDAN This means you got locked out while logged in with 2.3.1. You won't notice being locked until you try to post something or log in afterwards. |
@UNlDAN Yeah sounds like it. Safest way is to clear your saved devices from facebook, then try again. There shouldn't be anything in 2.3.2 that makes it more prone to bans than 2.3.1 |
I confirm issue here, and I'm running out of passwords :) |
@SeanyMCP which version. This problem should be addressed in 2.3.2 |
In that case if the targeting to specific app is true... Try enter I expected the |
|
I'm using the 2.3.2 release and still got my account locked after 3~4 days. Wasn't using any previously version before as I needed to format my phone for other reasons. |
@N1vBruno I take it that even though it wasn't installed, you've used Frost previously? Can you make sure to remove your old saved devices before trying again? |
FWIW, using the most recent version straight from Github, and I just got the lock out again. |
@AllanWang I was locked about two weeks ago, but I didn't related it to Frost at the time. After this lock today it doesn't show any devices logged in besides my browser, so I presume it automatically logs out any devices connected, and I'm not sure if I logged back in the old Frost release after the first lock. But I'm talking about the "Where You're Logged In" list, I never save any devices in my account. |
@N1vBruno - only devices on my FB is my PC (firefox, Solus distro), and my mobile (s8+, Frost, which is read as "Chrome on Windows" as expected). |
Actually, in my case the new version 2.3.2 with the setting web only from the development options works like a charm. Not a problem, whatsoever. But I right away activated web only, after login. |
Since the release I've been using 2.3.2 WITHOUT web only enabled.. no problems since now. |
F-Droid is current now if anyone was waiting to update. |
Hi, I have not used Frost for a few days. Then installed 2.3.2 from github and this morning had quite a discussion on FB. I used mobile for the first comment and then web for the rest of the comments. This evening I find my account suspended due to strange activities. I did get a login alert by email when I logged in to the web version because of the combination browser and another source IP. I did review the login from Frost and acknowleged it. If you have any questions, let me know. |
Frak! All was good for a week then Bam! It’s likely that your account was compromised as a result of entering your password on a website designed to look like Facebook. This type of attack is known as phishing. Learn more in the Help Center. Over the next few steps we’ll walk you through a security check to help secure your account, and let you log back in. |
me too, used 2.3.2 with notifications without issues only for week, I was banned 2 days ago, so returned to Frost Testing webonly. |
Only resolution now is to keep on web only. It might be a service that is causing the problem for some reason. If more people report this I'll lock this issue and open a new one, since it seems to be a different problem (leading to the same error). 2.3.2 does seem to fix it for at least a portion of the affected users |
I was having problems with the previous version but now I downloaded v2.3.2 and will try to use it WITHOUT web only option enabled. I will report if I get locked again. |
FWIW my girlfriend updated to 2.3.2 and she encountered no issues so far. |
Sadly I just got locked out again as well. I've been using 2.3.2 for about a week. I just toggled on web only on to see how that goes. |
Has anyone considered that maybe Facebook is targeting this app? There might be nothing wrong with it. They expend a lot of effort to get people use messenger and this app gives us the ability to read and respond to messages outside of that platform. Messenger is their data collection trap and you can't read messages in the stock Facecrap app without it. |
Move conversation for v2.3.2 to #1522. And as mentioned above, try web only first. Locking as no reports have come out with web only enabled. |
Edit (Allan):
Resolution
Log out of Facebook & remove your device, update to v2.3.2, and log back in
Test build v2519 and Release build v2.3.2 are released with potential fixes
For more information, see the reddit post
For issues post v2.3.1, reply at #1522
Describe the bug
Facebook describes Frost as an phising app that looks like the real facebook and try to steal your account.
Due to this I have to reset my account with new password and prove it is me. This have happened two times.
I do not use other apps/facebook services so this must be the app who triggers the facebook account reset.
Is it possible to trick FB into thinking that the app is a regular mobile browser? Maybe with user agent?
To Reproduce
Steps to reproduce the behaviour:
Happens randomly. Two times within the last 5 days of use.
I have used the app for 6 months without any issues.
Details (please provide at least the app version):
The text was updated successfully, but these errors were encountered: