this post was submitted on 27 Jun 2024
858 points (97.5% liked)

Technology

60033 readers
2857 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 202 points 5 months ago (6 children)

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place."

That's just nuts

[–] [email protected] 108 points 5 months ago* (last edited 5 months ago) (5 children)

Yeah, it is. It's such an extraordinary claim.

One requiring extraordinary evidence that wasn't provided.

"It's doing amazing hacks to access everything and it's so good at it it's undetectable!" Right, how convenient.

[–] [email protected] 100 points 5 months ago* (last edited 5 months ago) (2 children)

Libmanwe-lib.so is a library file in machine language (compiled). A Google search reveals that it is exclusively mentioned in the context of PDD software—all five search results refer to PDD’s apps. According to this discussion on GitHub, “the malicious code of PDD is protected by two sets of VMPs (manwe, nvwa)”. Libmanwe is the library to use manwe.

An anonymous user uploaded a decompiled version of libmanwe-lib to GitHub. It reads like it is a list of methods to encrypt, decrypt or shift integer signals, which fits the above description as a VMP for the sake of hiding a program’s purpose.

In plain words, TEMU’s app employed a PDD proprietary measure to hide malicious code in an opaque bubble within the application’s executables

load more comments (2 replies)
load more comments (4 replies)
[–] [email protected] 54 points 5 months ago* (last edited 5 months ago) (1 children)

This is why companies like Apple are at least a tiny bit correct when they go on about app security and limiting code execution. The fact it aligns with their creed of controlling all of the technology they sell makes the whole debate a mess, though. And it does not excuse shitty behavior on their part.

But damn

And if they got this past Apple in their platforms. That’s even wilder.

[–] [email protected] 23 points 5 months ago

The article linked to the analysis and on a quick glance, it seems to be done entirely against the Android variant of the app. This makes sense because if the alleged actions are true, they’d never have gotten on to the App Store for iOS Apple users… or at least as of a couple months ago. Who knows what kind of vulnerability is exposed by Apple only doing limited cursory checks for 3rd party App Stores.

load more comments (4 replies)
[–] [email protected] 119 points 5 months ago (13 children)

I'm sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren't possible unless Temu is packing some serious 0-days.

For example he says the app is collecting your fingerprint data. How would that even happen? Apps don't have access to fingerprint data, because the operating system just reports to the app "a valid fingerprint was scanned" or "an unknown fingerprint was scanned", and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?

And this is just one claim. It's just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn't be wasted on such trivial purpose. Because now that's it's "revealed", Google and Apple would patch them immediately.

But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.

[–] [email protected] 67 points 5 months ago (2 children)
[–] [email protected] 73 points 5 months ago* (last edited 5 months ago) (6 children)

Here's the actual relevant part

These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.

However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can't do anything the app couldn't do with an update.

Also, there's some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn't present that particular risk.

All of this to say, if you have temu, probably uninstall it. It's clearly collecting all the data it can get.

But it's unlikely to be the immediate threat that will have China taking over your phone like this report implies.

load more comments (6 replies)
[–] [email protected] 18 points 5 months ago

That.. is not a study by anyone who knows what they are talking about. It also does not mention fingerprints at all.

They seem to believe that the app can use permissions undeclared in the manifest file because they obviously think it's only for the store to show the permissions to the user. Android will not actually allow an app to use undeclared permissions. The most rational explanation is the codebase is shared with different version of the app (possibly not released) that had different manifests.

It also makes a big deal of checking if running as root. That is not evidence of having an escalation exploit. If they have an ability to get root before running the app why would they need to use the app to exploit it? They could just do whatever they wanted and avoid leaving traces in the app. Though I doubt they would root phones to just brick them. It's the kind of mischief you would expect from a kid writing viruses, not an intelligence agency or criminal enterprise.

Users who root their own phones are very unlikely to run temu as root. In fact a lot of apps related to shopping or banking try to detect root to refuse to work as your system is unsafely. In any case it's a very niche group to target.

To keep things short, that 'study' does not really look credible or written by actual experts.

[–] [email protected] 29 points 5 months ago (2 children)
[–] [email protected] 32 points 5 months ago* (last edited 5 months ago) (4 children)

The analysis shows it's spyware, which I don't question. But it's spyware in the bounds of Android security, doesn't hack anything, doesn't have access to anything it shouldn't, and uses normal Android permissions that you have to grant for it to have access to the data.

For example the article mentions it's making screenshots, but doesn't mention that it's only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn't give it permission to access.

Don't get me wrong, it's very bad and seems to siphon off any data it can get it's hands on. But it doesn't bypass any security, and many claims in the article are sensational and don't appear in the Grizzly report.

load more comments (4 replies)
load more comments (1 replies)
[–] [email protected] 16 points 5 months ago* (last edited 5 months ago)

Yeah, I don't like Temu, and I'm sure the app is a privacy nightmare, but these claims don't seem right. If it's true, I'd like to see someone else verify it.

load more comments (10 replies)
[–] [email protected] 77 points 5 months ago (7 children)

Temu is absolute cancer in terms of business practices so no surprise here at all.

[–] [email protected] 46 points 5 months ago

Cancer in terms of, well, everything.

load more comments (6 replies)
[–] [email protected] 66 points 5 months ago (6 children)

How about pass and enforce strong digital privacy protection laws you fucking cowards. When other countries spy on us it's scary and bad, but for US companies? Best we can do is ban porn and demand backdoors to stop E2EE messaging.

load more comments (6 replies)
[–] [email protected] 65 points 5 months ago (38 children)

I can't believe anyone would buy from Temu. I knew they were Chinese knockoff bullshit the second I saw their first obnoxious ad.

[–] [email protected] 18 points 5 months ago (6 children)

Plenty of items on eBay are just people who buy from China directly and mark up prices. If it is likely made in China and I don’t want it quickly, I’ll buy off aliexpress. That said, alibaba wanted me to upload photo ID which I noped out of. Temu started spamming my email address when I’d never used them. The unsubscribe link went to their website said to adjust your account settings if you didn’t want spam… I never created and account and avoided them completely following that.

load more comments (6 replies)
[–] [email protected] 15 points 5 months ago (3 children)

Isn't that the site that's AliExpress but worse?

load more comments (3 replies)
load more comments (36 replies)
[–] [email protected] 49 points 5 months ago* (last edited 5 months ago) (5 children)
[–] [email protected] 38 points 5 months ago (21 children)

First, you use Lemmy, that's great. But pls use a client without ads....

load more comments (21 replies)
[–] [email protected] 31 points 5 months ago (12 children)

Where are you viewing Lemmy posts that you have ads?

load more comments (12 replies)
[–] [email protected] 19 points 5 months ago* (last edited 5 months ago) (5 children)

That's what you get for using a proprietary Lemmy app. Switch to Thunder, it doesn't have ads, it's open source and in my opinion has the best UI out of all Lemmy apps. Also support the development and join their community: [email protected]

load more comments (5 replies)
load more comments (2 replies)
[–] [email protected] 41 points 5 months ago (3 children)

I generally think arstechnica.com does a decent job of being a non-garbage news site. I pay a couple bucks a month for the ad-free RSS feed. This story feels terrible to me. I don’t doubt a law suit has been filed, but I would expect some investigation by the reporter of the extra-ordinary claims of privilege escape the application is claimed to be capable of.

load more comments (3 replies)
[–] [email protected] 37 points 5 months ago (1 children)

Shocked i tell you. I am shocked.

No way an app would collect data it doesnt need. Preposterous.

Next thing you'll tell me is that tiktok is doing the same thing!

[–] [email protected] 29 points 5 months ago (11 children)

What about Meta and Google?

[–] [email protected] 24 points 5 months ago

it doesn't count when it's an american company doing it

load more comments (10 replies)
[–] [email protected] 36 points 5 months ago (3 children)

Have any of you actually ever stopped to process what the tagline, "I'm shopping like a billionaire" means?

I've always interpreted it as,

I'm needlessly buying things that don't make me happy, but making the purchase without any hesitation, knowing that the purchase price could never financially impact me in any real way. When I purchase the thing, I'll probably never use it or actually take it out of the box even. It is just empty, hollow. And somewhere inside, I always know that it's all only possible, because I'm actively exploiting the cheap labor of scores of other people that are made to perpetually suffer in generations of abject poverty to allow for my relative comfort...

🎶*"I'm shopping like a billionaire!"*🎶

[–] [email protected] 16 points 5 months ago* (last edited 5 months ago) (8 children)

I am disabled and have limited income I don't have control over increasing or decreasing. I use temu to save a lot of money on essential things that should be cheap but are still overpriced in America. Sponges. Rags. Soaps. Pens. Tools. Home improvement hardware. Plant grow supplies. Gifts for me nieces. The tagline, is just a tagline. Billionaires are not like me and scouring for cheap magic sponges.

Edit: also, temu did not invent drop shipping. Shopping on amazon is literally the same thing.

load more comments (8 replies)
load more comments (2 replies)
[–] [email protected] 34 points 5 months ago (12 children)

All I want to know is what do these Temu people think my life is like?

[–] [email protected] 20 points 5 months ago

Are you a busty outdoorswoman?

[–] [email protected] 16 points 5 months ago (2 children)

Weaponized fishing for covert military operations.

load more comments (2 replies)
[–] [email protected] 16 points 5 months ago (5 children)

I mean, you're obviously a sexy military mechanic woman, who goes into battle with fantasy battle armor and goes fishing as a hobby! Duh.

load more comments (5 replies)
load more comments (9 replies)
[–] [email protected] 32 points 5 months ago (5 children)

Yesterday, I saw a Temu ad for something and I just wanted to open it to read the info and there were so many popups and "spin the wheel for a prize" and "enter your email here" and so on that I gave up and just looked for the info elsewhere. Never clicking on a Temu link again.

load more comments (5 replies)
[–] [email protected] 28 points 5 months ago* (last edited 5 months ago) (1 children)

I'm shocked, I say. Shocked!
The idea of an app being used to gather additional dat~~e~~a from a customer!

load more comments (1 replies)
[–] [email protected] 24 points 5 months ago* (last edited 5 months ago) (4 children)

Comments here: “Yeah right, I’ll believe it when they explain how.”

Article: literally has a section explaining how

Edit:

Replies: "Yeah, but that's just a summary. I'll believe it when they explain in full detail."

Article: literally has a link to the detailed explanation

[–] [email protected] 14 points 5 months ago* (last edited 5 months ago) (2 children)

The claim is they completely bypass all Android and iOS security is pretty unbelievable.

If so then the real discussion is how these zero day exploits are just sitting around.

EDIT: It seems the focus is on Android but all the information is nonsensical, like AI generated buzzword bingo.

load more comments (2 replies)
load more comments (3 replies)
[–] [email protected] 19 points 5 months ago

Like a worse AliExpress

[–] [email protected] 18 points 5 months ago (1 children)

Also fuck their landfillware Chinesium "products".

[–] [email protected] 13 points 5 months ago (4 children)

That's also most of what's on Amazon these days.

load more comments (4 replies)
[–] [email protected] 17 points 5 months ago (4 children)

Can someone explain to me how you can just simply program something to bypass privacy and security features? What is the point of having these features if you can literally just program something to ignore them? Like....??? Temu is obviously bad if this is true, but if it IS true, it shouldn't have been possible to begin with!!

load more comments (4 replies)
load more comments
view more: next ›