Holy shit this is detailed.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:59:43 GMT

paco@infosec.exchange — Thu, 02 Apr 2026 21:59:43 GMT

@YurkshireLad no. Nearly any mobile app can do this and more.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:59:11 GMT

paco@infosec.exchange — Thu, 02 Apr 2026 21:59:11 GMT

@energisch_ I’m not a lawyer or European. But that blog makes a very strong argument that you’re right: it sure seems illegal by EU law.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:47:29 GMT

energisch_@troet.cafe — Thu, 02 Apr 2026 21:47:29 GMT

@paco But this cannot be legal in Europe/EU!

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:43:17 GMT

yurkshirelad@mastodon.social — Thu, 02 Apr 2026 21:43:17 GMT

@paco I bet they’re not the only ones that scan your extensions.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:29:42 GMT

joriki@infosec.exchange — Thu, 02 Apr 2026 21:29:42 GMT

@paco

for anyone who'd like a sense of their more common fingerprint, see here:

https://amiunique.org/

I wish this site had 4B entries and not 4M ...

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:17:23 GMT

paco@infosec.exchange — Thu, 02 Apr 2026 21:17:23 GMT

@kitkat_blue Years ago I was working for a retailer in the UK who had only recently built their first mobile app on iOS. Like most apps of that era, it was little more than a webview and it didn't need much permisisons.

Like most developers, they had incorporated some analytics package that was reporting on users' interaction with the app. I'm fairly sure it was a binary library that they linked into their app. I don't think they got source code. I might be wrong.

I could see the telemetry going up in the analytics API calls. Which buttons, which pages, etc.

Then one day they launched an app feature "find a store near me." Now the app needed location permissions. If the user granted location permissions, the analytics library got access to location. Anything the app can do, the analytics library can do. And, sure enough, those analytics telemetry messages started to carry GPS coordinates from the user to this third party. My customer didn't make any change to their code. They didn't turn that on. They just asked for, and got, location permission from the end user for a legit purpose in the app.

I pointed it out, because this was a change in behavior that was not contemplated by their privacy policy. Heck, it's a change in behavior they didn't even know had happened! It wasn't in their code! So they quietly pushed out a small update to the policy that made it OK.

That was probably like 15-16 years ago.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 21:03:31 GMT

argv_minus_one@mastodon.sdf.org — Thu, 02 Apr 2026 21:03:31 GMT

@paco

I'm more concerned with the fact that extensions *can* be detected this way. Web pages should not be able to detect the presence of extensions. If they can, that's a security vulnerability.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 20:55:25 GMT

kitkat_blue@mastodon.social — Thu, 02 Apr 2026 20:55:25 GMT

@paco

Kinda makes you wonder what all the other slimy digi-corpos are doing.... this is just one that's been caught after all.

Reply to Holy shit this is detailed. on Thu, 02 Apr 2026 20:26:57 GMT

cerny_kocky@mastodon.social — Thu, 02 Apr 2026 20:26:57 GMT

@paco i worked at major anti-virus company. not only i can believe it, i think it’s default mode of all companies that came into contact with any sellable user data