Temu "surprised" by the lawsuit, plans to "vigorously defend" itself.
  • TwitchingCheese@lemmy.worldEnglish
    0·
    5 months ago

    How about pass and enforce strong digital privacy protection laws you fucking cowards. When other countries spy on us it’s scary and bad, but for US companies? Best we can do is ban porn and demand backdoors to stop E2EE messaging.

  • Flying Squid@lemmy.worldEnglish
    0·
    5 months ago

    Yesterday, I saw a Temu ad for something and I just wanted to open it to read the info and there were so many popups and “spin the wheel for a prize” and “enter your email here” and so on that I gave up and just looked for the info elsewhere. Never clicking on a Temu link again.

    • pantyhosewimp@lemmynsfw.comEnglish
      0·
      5 months ago

      Same, but a year ago.

      Also, Temu has tried to take all the shopping search results from Bing/DDG. So those results are trash now.

    • MehBlah@lemmy.worldEnglish
      0·
      5 months ago

      I get their CAPTCHA where I have to slide the puzzle piece over to look at one of their ads. More than half the time I will do this and it will fail saying I didn’t do it right. So yeah temu has become a trash site.

  • Timecircleline@sh.itjust.worksEnglish
    0·
    5 months ago

    But if you install the app you get a free Bluetooth speaker!!

    /Joking. Am I the only one who gets that ad constantly whenever I’m using a device that isn’t running ad blocks?

  • dev_null@lemmy.mlEnglish
    0·
    5 months ago

    I’m sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren’t possible unless Temu is packing some serious 0-days.

    For example he says the app is collecting your fingerprint data. How would that even happen? Apps don’t have access to fingerprint data, because the operating system just reports to the app “a valid fingerprint was scanned” or “an unknown fingerprint was scanned”, and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?

    And this is just one claim. It’s just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn’t be wasted on such trivial purpose. Because now that’s it’s “revealed”, Google and Apple would patch them immediately.

    But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.

    • ✂⚋⚋⚋⚋ clb92 ⚋⚋@feddit.dkEnglish
      0·
      5 months ago

      Yeah, I don’t like Temu, and I’m sure the app is a privacy nightmare, but these claims don’t seem right. If it’s true, I’m like to see someone else verify it.

      • MajinBlayze@lemmy.worldEnglish
        0·
        5 months ago

        Here’s the actual relevant part

        These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.

        However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can’t do anything the app couldn’t do with an update.

        Also, there’s some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn’t present that particular risk.

        All of this to say, if you have temu, probably uninstall it. It’s clearly collecting all the data it can get.

        But it’s unlikely to be the immediate threat that will have China taking over your phone like this report implies.

          • A_Random_Idiot@lemmy.worldEnglish
            0·
            5 months ago

            Exactly why I use browser and not apps, too. and if they try to strongarm me with better prices or degraded services, I just stop using them all together.

            • Shyfer@ttrpg.networkEnglish
              0·
              5 months ago

              It’s why I stopped using Reddit on mobile lol. No, I don’t want to download your official app, and no you making it so I need it to access NSFW stuff will convince me to.

              Same with X/Twitter. I hate when people put information in those now because you can’t read more than one at a time in some reply to self thread on there without downloading the app. Especially when it’s important news or on the ground reporting. Screw that. All those reporters need to use mastadon.

            • aStonedSanta@lemm.eeEnglish
              0·
              5 months ago

              Yup. I used to watch TikTok’s sent to me. Now I can’t. They want me to use their app. LOL. Nah.

          • protist@mander.xyzEnglish
            0·
            5 months ago

            I’m blown away by how many people use apps when they don’t have to. There’s a reason companies are always trying to get you to download their app, and it’s so they can put their software on your phone and harvest more of your data.

      • azuth@sh.itjust.worksEnglish
        0·
        5 months ago

        That… is not a study by anyone who knows what they are talking about. It also does not mention fingerprints at all.

        They seem to believe that the app can use permissions undeclared in the manifest file because they obviously think it’s only for the store to show the permissions to the user. Android will not actually allow an app to use undeclared permissions. The most rational explanation is the codebase is shared with different version of the app (possibly not released) that had different manifests.

        It also makes a big deal of checking if running as root. That is not evidence of having an escalation exploit. If they have an ability to get root before running the app why would they need to use the app to exploit it? They could just do whatever they wanted and avoid leaving traces in the app. Though I doubt they would root phones to just brick them. It’s the kind of mischief you would expect from a kid writing viruses, not an intelligence agency or criminal enterprise.

        Users who root their own phones are very unlikely to run temu as root. In fact a lot of apps related to shopping or banking try to detect root to refuse to work as your system is unsafely. In any case it’s a very niche group to target.

        To keep things short, that ‘study’ does not really look credible or written by actual experts.

      • dev_null@lemmy.mlEnglish
        0·
        5 months ago

        The analysis shows it’s spyware, which I don’t question. But it’s spyware in the bounds of Android security, doesn’t hack anything, doesn’t have access to anything it shouldn’t, and uses normal Android permissions that you have to grant for it to have access to the data.

        For example the article mentions it’s making screenshots, but doesn’t mention that it’s only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn’t give it permission to access.

        Don’t get me wrong, it’s very bad and seems to siphon off any data it can get it’s hands on. But it doesn’t bypass any security, and many claims in the article are sensational and don’t appear in the Grizzly report.

        • hummingbird@lemmy.worldEnglish
          0·
          5 months ago

          That is not entirely correct. The reported found the app using permissions that are not covered by the manifest. It also found the app being capable to execute arbitrary code send by temu. So it cannot be clearly answered if the app can utilize these permissions or not. Obviously they would not ship such an exploit with the app directly.

          • dev_null@lemmy.mlEnglish
            0·
            5 months ago

            The reported found the app using permissions that are not covered by the manifest.

            It didn’t found them using them, it’s an important distinction. It found code referring to permissions that are not covered by the Manifest file. If that code was ran, the app would crash, because Android won’t let an app request and use a permission not in the Manifest file. The Manifest file is not an informational overview, it’s the mechanism through which apps can declare permissions that they want Android to allow them to request. If it’s not in the Manifest, then it’s not possible to use. It’s not unusual to have a bunch of libraries in an app that have functionality you don’t use, and so don’t declare the required permissions in the Manifest, because you don’t use them.

            It also found the app being capable to execute arbitrary code send by temu.

            Yeah, which is shady, but again, there is nothing to indicate that code can go around any security and do any of the sensational things the article claims.

            The Grizzly reports shows how the app tricks you into granting permissions that it shouldn’t need, very shady stuff. But it also shows they don’t have a magical way of going around the permissions. The user has to actually grant them.

      • dev_null@lemmy.mlEnglish
        0·
        5 months ago

        Yes, the phone does, but that data is protected in the hardware and never sent to the software, the hardware basically just sends ok / not ok. It’s not impossible to hack in theory, nothing is, but it would be a very major security exploit in itself that would deserve a bunch of articles on it’s own. And would likely be device specific vulnerability, not something an app just does wherever installed.

    • DarkCloud@lemmy.worldEnglish
      0·
      5 months ago

      Haven’t read the article because I’m not interested in an app I don’t use, but does it mean browser fingerprint? Because that’s slang for the fonts/cookies/user-data of your browser, and lots of apps have access to that.

  • Bluefruit@lemmy.worldEnglish
    0·
    5 months ago

    Shocked i tell you. I am shocked.

    No way an app would collect data it doesnt need. Preposterous.

    Next thing you’ll tell me is that tiktok is doing the same thing!

        • TWeaK@lemm.eeEnglish
          0·
          5 months ago

          Erm, WhatsApp would suggest otherwise.

          WhatsApp was the vector for zero click access to a target’s phone from Israel’s weapons grade hacking Pegasus toolkit. They would send a video call, typically in the middle of the night, and with no input from the used they’d get full access. My personal belief is that they used functionality WhatsApp itself uses to access user data.

          There was also an encrypted phone called ANOM, which had this trick calculator app with a hidden encrypted messager. “Made for criminals, by criminals”. Except, when the guy started his business he got investment from the FBI and Australian Federal Police to pay for the servers and some of the phones themselves. Basically every time it sent an encrypted message it sent a separate encrypted message to the ANOM servers. It’s entirely possible (perhaps even likely) that WhatsApp would do this also.

          As for Google, they’re truly insidious. Lots of banks now require you to connect to Google captcha servers - they don’t give you the pictures, it’s just the back end, basically the tracking parts. Then there’s the controversy about them collecting location data when users have said no. They absolutely do collect data they shouldn’t.

          • TeddE@lemmy.worldEnglish
            0·
            5 months ago

            I’ll accept that maybe I’m giving Google a pass because of misplaced nostalgia, and while I personally have never used or liked Meta Facebook, I’ll concede that for a while it provided a service some people valued.

            It’s still my opinion that Google and Facebook have a large percentage of engineers that personally try to make them a genuinely good service, at least moreso than compared to TikTok and Temu. But I’m willing to concede it’s not as much a practical difference as I would like.

          • TeddE@lemmy.worldEnglish
            0·
            5 months ago

            Emphasis on by comparison, as in “molten hot metal is cooler than the surface of the sun, by comparison”.

            TikTok and Temu actively have code in them that would be considered a virus in other contexts. They exploit your system to gain more access than they should, violating the point of sandboxed access.

            By comparison Meta and Google merely take advantage of user ignorance and apathy by making opting out frustrating - but still technically doable.

            Both practices are terrible, but that’s not the same as saying they’re equally bad.

            • pop@lemmy.mlEnglish
              0·
              5 months ago

              By comparison Meta and Google merely take advantage of user ignorance and apathy by making opting out frustrating - but still technically doable.

              This is simply just not true. Meta used an adversary-in-the-middle attack to decrypt Snapchat and other competitors traffic. Facebook, Apple, Twitter and Google have been intercepting traffic since before https/sandbox/anti-virus were the norm. Do you think they didn’t do anything malicious?

              Install any Google app on Windows and it will install a task schedule and a always online background service to “check for updates” and downloads and runs their executable without any user consent. I wonder why no body had a problem with that. hmm…

              https://www.malwarebytes.com/blog/news/2024/03/facebook-spied-on-snapchat-users-to-get-analytics-about-the-competition

              Google runs it own operating system so they could technically do anything they so fucking please. You think Chinese Android variants are using exploits or just scooping data wholesale, because it can. But you think Google and Apple aren’t?

              It’s showing your prejudice, bias and concern trolling more than anything.

  • Snapz@lemmy.worldEnglish
    0·
    5 months ago

    Have any of you actually ever stopped to process what the tagline, “I’m shopping like a billionaire” means?

    I’ve always interpreted it as,

    I’m needlessly buying things that don’t make me happy, but making the purchase without any hesitation, knowing that the purchase price could never financially impact me in any real way. When I purchase the thing, I’ll probably never use it or actually take it out of the box even. It is just empty, hollow. And somewhere inside, I always know that it’s all only possible, because I’m actively exploiting the cheap labor of scores of other people that are made to perpetually suffer in generations of abject poverty to allow for my relative comfort…

    🎶*“I’m shopping like a billionaire!”*🎶

    • Captain Poofter@lemmy.worldEnglish
      0·
      5 months ago

      I am disabled and have limited income I don’t have control over increasing or decreasing. I use temu to save a lot of money on essential things that should be cheap but are still overpriced in America. Sponges. Rags. Soaps. Pens. Tools. Home improvement hardware. Plant grow supplies. Gifts for me nieces. The tagline, is just a tagline. Billionaires are not like me and scouring for cheap magic sponges.

      Edit: also, temu did not invent drop shipping. Shopping on amazon is literally the same thing.

    • dan@upvote.auEnglish
      0·
      5 months ago

      My interpretation of that tagline is that since the prices on Temu are cheap, it means you can shop as if you had a lot of money, without actually spending that much.

  • GreatAlbatross@feddit.ukEnglish
    0·
    5 months ago

    I’m shocked, I say. Shocked!
    The idea of an app being used to gather additional date from a customer!

  • Sam_Bass@lemmy.worldEnglish
    0·
    5 months ago

    The only thing annoying to me about temu is the cheesy popups for “free” gifts and percent-off wheel spinners.