Block LOC extension

[fmarier]

https://chrome.google.com/webstore/detail/loc/eojdckfcadamkapabechhbnkleligand

If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data. The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued.

Details

There is a notice when installing the extension that it will have read & write access to FB and another site:

After that, it makes a network call to https://business.facebook.com/creatorstudio/home and ends up creating a new access token without any user interaction:

that's despite the fact that user tokens are supposed to require an app to ask for permission:

User Access Token: This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one.

Interestingly, I can't see that access token anywhere in my account:

Also, the post-install URL that the extension opens explicitly tells users that their Facebook account might get suspended as a result of installing this extension:

[fmarier]

Adding this extension to the blacklist section of extension-whitelist prevents new installations:

and shows a message about already-installed ones:

but it's not clear that existing installations are actually disabled:

[fmarier]

Blocked as of Brave Local Data Updater - Version: 1.0.68.

[fmarier]

Announcement up at https://community.brave.com/t/notice-brave-now-blocking-l-o-c-web-extension/340596.

[locmai0808]

Hello @fmarier.

I'm the creator of the extension. I would like to verify how my extension would "generate" the access token.
As long as you are logged in on Facebook, if you go to view-source:https://business.facebook.com/creatorstudio/home on your browser, you should be able to use regex and search for accessToken inside there.

Based on my report and Facebook's response, it's a "feature" from Facebook and not a bug, so the Access Token from that page is not a bug.

The extension does not collect user's data unless user becomes a Premium user, and the only thing it collects is UID.

[fmarier]

Thanks for reaching out @locmai0808 .

If I understand correctly, you're saying that this Facebook Creators Studio has its own access key that's not visible in a user's settings. The extension then extracts this key from the HTML and then uses it to access the various Facebook APIs it needs. Is that correct?

The extension does not collect user's data unless user becomes a Premium user, and the only thing it collects is UID.

When you say UID, is that the Facebook numerical user ID?
Does the extension keep the access token locally on the machine or is it ever sent to another server?

[fmarier]

Based on my report and Facebook's response, it's a "feature" from Facebook and not a bug

Are you able to share this report and Facebook's response? If you prefer not to do it publicly, feel free to email it to me: francois@brave.com

[locmai0808]

@fmarier

If I understand correctly, you're saying that this Facebook Creators Studio has its own access key that's not visible in a user's settings. The extension then extracts this key from the HTML and then uses it to access the various Facebook APIs it needs. Is that correct?

Yes this is correct, the access token is within the HTML of that page. Any Facebook user can really just go to view-source:https://business.facebook.com/creatorstudio/home and view the access token in there.

Each Facebook user is assigned with a UID, for example Mark has UID of 4 (fb.com/4)
The extension keeps the access token locally in their browser, and to be excactly, it's stored under localStorage.touch
The extension does NOT send/collect user's Access token to anywhere, everything runs locally.
The extension will collect user UID, and compare with my database to see if the user is a Premium user or not, and thus can allow access to some Premium features.

I will forward to you my bug report emails - the only copies I have left since I'm banned on Facebook platform forever.