We can't know for sure it's not malicious. It could be keeping a list of names, IPs, and profile pictures, (and maybe browser, OS, timezone, time) and publishing or selling them.
That's just FUD.
What possible use would there be for a list of Facebook profiles and their IP addresses?
You can just go on Facebook and get as many profiles as you'd like directly. The IP only gives you an ISP that the user used once at some point in time which means a very crude approximation for location (at the city/country level) which you could probably beat by looking at the profile itself.
These aren't just random profiles, they're security interested Hacker News browsers. And they might be correlatable with comments in this post.
IP gives you more than just location. If you own a website, and someone from an IP visits your website around the same time as this log, there's probably a good chance they're the same person. So you could then correlate a username on your website with a Facebook profile.
The whole point of potential attack is to correlate a username on the attacker's website with a Facebook profile.
I tried it in latest Firefox with uBlock & HTTPS Everywhere and it leads me to a 'captcha' page similar to Cloudflare's but there's no actual captcha box. Nothing seems to happen...
Is it uBlock protecting me or is it that I've completely disabled all third party cookies?
I use Firefox and the new Tracking Protection feature can sometimes prevent Captcha boxes from loading. Click the Shield icon by the URL, then toggle the Tracking Protection to off. The page should reload, does it display the captcha?
You're right, turning off Firefox's tracking protection reveals the 'captcha' box (disguised FB comment box)... but it still fails since I've FB's platform feature turned off. Another window pops up informing me that I need to turn it on to record my comment, which of course I declined...
In my case a comment box doesn't appear at all. I also don't have Firefox containers enabled. uBlock is blocking google-analytics.com and facebook.net domains only on that page, while Firefox's own tracker blocking is not accepting 3rd-party cookies from disqus, fb and google.
Although these days I'm aware that most large tracking companies are probably going beyond just 3rd party cookies and building shadow profiles based on device fingerprinting which as it stands is effectively impossible to avoid without crippling modern browsers.
Why does this sign-in not show up the "Apps & Websites" section on Facebook? How do I make it stop recognizing me without disabling sign-ins on other sites? It sure would be nice if these questions and their answers were included in the article!
Yeah, I tried looking through my Facebook logs, and couldn't find anything. I would have expected that if I leave a comment on a website, Facebook would keep a log of that for me to see.
Huh. When I go to the example, I end up on a Cloudflare captcha that appears to be missing most of its stuff, such that I can't pass it. I'm running uBlock Origin, nothing fancy. Here I thought it was just Tor users who were inconvenienced!
The example does not appear to work in Safari on iOS; for some reason the Facebook comment form doesnt seem to stay focused. (I also don’t have a Facebook account.)
I'm not going to spoil anything. If you haven't clicked on the link, you should. It's not malicious, but it does demonstrate the vulnerability.