Knowing lawyers, I wouldn't put much stock an an email sent to this list as being considered evidence that Meta was informed.
Another idea is opening a civil suit against Meta, including the details of your claim in the complaint, and having the complaint "served" to their chief council (by name). This would best be done with the help of a lawyer. The complaint would also be filed in a court and probably become public information.
Disclaimer: I am not a lawyer and this is not legal advise.
On Tue, Apr 23, 2024, 7:55 PM Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote:
I am posting here because I know that this channel is monitored by counsel for the EU and by Facebook legal.I have in the past three days been presented with three paid adverts on Facebook which either attempt to inject malware into the user's computer or direct the user to call a hotline where they will be cheated out of their money.Both are of course serious safety issues. Safety issues that Facebook management is clearly intent on making sure are not reported to it. Having been a C-suite report for my entire career, I am very familiar with this approach to liability management. The notion being that making it impossible to report bad things happening will avoid liability claims.If that was the intent, it has failed, I am sure that this notice will be considered sufficient notice to render any such defense inoperable.There is a mechanism for reporting adverts but it makes sure that I cannot give the reason for making the report. Of the 12 options given, none cover the 'attack the user's computer'. It is not possible to give explanation for the report either. All reports are summarily dismissed with the option of an appeal which is also ignored.How can the reviewer possibly consider a report in good faith without the ability to state what the actual problem is?Each of the attacks consist of a Web page that issues a _javascript_ instruction to place the browser in full screen mode. This instruction appears to be repeated so as to prevent the user cancelling it. This is a safety issue that Microsoft and Google should take notice of - untrusted sites should not be allowed to put the browser into full screen mode. As with access to the microphone, camera and audio output, that should be a privileged operation that is only allowed with explicit user permission.I know that when my Web browser warns me my computer is compromised, the warning is coming from the attacker but many people don't.
Of course, attacks of this sort are a little difficult to detect because they work probabilistically with only some of the users receiving the attack page and only if they are visiting from a known residential IP address. Which is why it is so important to accept user reports and why accepting advertisements from anyone whose credit card number clears without having the slightest idea who they are is bad practice.It does seem rather odd that we spend so much time obsessing about the most obscure and implausible cryptographic attacks yet the attacks that are happening every single day and have real impact on user safety are not just ignored, they are intentionally ignored.Seems to me that we spend far too much time here working to optimize corporate profits and rather too little worrying about the safety of the five billion people we have sold this brave new world of ours to.
