FACT – People you talk to on whatsapp get recommended on facebook ! but Facebook Denies this . www.hackers.ng

For over a decade, People You May Know (PYMK) has been recommending potential new friends on Facebook: there’s that girl you knew in primary school, your best friend’s dad, and the uncle you’ve been avoiding

I’ve spoken to some people on WhatsApp to buy some used stuff online(not from FB marketplace) and when I was looking for apartments to rent a while ago. And now they are in my suggested friends section. It happened on 3 different occasions, so it’s not just a coincidence.

These people do not have my email, we do not have any common fb friends, and neither my Facebook app nor my messenger app have contacts permissions on. The only contact was through WhatsApp, so I assume Whatsapp shares data with Facebook.(I used my phone number on fb along with my email)

Where exactly is this setting and how do I stop it? I do not want suggestions or to be suggested as a friends simply because I spoke to someone on Whatsapp once. Facebook settings are so complicated, especially in the EU. Can someone help me find this, please?

Yes, people you talk to on WhatsApp can get recommended on Facebook due to data sharing practices between the two platforms. Here’s how it works:

Data Sharing and Recommendations

1. Shared Data:
   • WhatsApp and Facebook share data to improve user experiences across their services. This includes contact information and interaction data.
2. Contact Matching:
   • If you have shared your contacts with WhatsApp, those contacts can be cross-referenced with Facebook’s database to suggest friends. Even if you haven’t explicitly shared your contacts with Facebook, the data sharing agreement allows for some level of cross-referencing.
3. Activity and Interaction Data:
   • Facebook can use interaction data from WhatsApp, such as who you message frequently, to inform its friend recommendation algorithm.

Privacy Settings

To manage how your data is shared and recommendations are made, you can adjust your privacy settings on both platforms:

1. On WhatsApp:
   • Settings > Account > Privacy: Adjust settings to control who can see your information.
   • Settings > Account > Linked Accounts: Ensure your Facebook account is not linked to minimize data sharing.
2. On Facebook:
   • Settings & Privacy > Settings > Privacy: Adjust who can see your friend list and how people can find you.
   • Settings & Privacy > Settings > Ads: Manage ad settings to control data usage for ad recommendations.

Tips to Minimize Data Sharing

1. Limit Permissions:
   • Only grant necessary permissions to apps. Avoid sharing your contact list unless required.
2. Use Separate Contact Lists:
   • Maintain separate contact lists for WhatsApp and Facebook to reduce cross-platform data matching.
3. Review App Permissions Regularly:
   • Regularly check and update app permissions to ensure you’re only sharing what’s necessary.

What many people think of when they hear “no personally identifiable information” actually just means “we dont directly link your username to your user ID”. Every webservice (like for instance adsense which a lot of other services leverage off of because A) its everywhere, and B) using one ID is easier than tracking many) you initially connect to generates a cookie and authentication token to recognize that specific device on that specific session as valid to further link to your account. That is how it delivers messages and such. However that only handles authorization to utilize the service…

Which as has already been beaten to death but apparently still needs to be said, if the service is free you are the product. Dont like it? Then pay for privacy and/or roll your own service.

Its called linux, its called open source, its called making your hard work, time, and equipment investment just as accessible and vulnerable to the open internet as these services so many believe they are entitled to. Even these companies that claim to be encrypted and to not store the keys etc, etc, etc….do you know how they generate keys? Do you know if there is an inbuilt cryptographic backdoor through the key generating algorithm? Do you know for a fact they cant just instruct their app to hand over the keys when asked nicely? No, you dont. Stop assuming for profit entities are inherently operating in your best interests out of the goodness of their heart. That entire concept is a false narrative and it keeps popping up week after week stories of people that are amazing these free platforms arent actually obligated to us in the slightest.

Hosting services costs money. Period. There is not magic free internet connection, free load balancing hardware, edge routers, servers, ram, processing time, storage, back up power, cases, fans, racks, secure locations to store them, aircon to keep them cool, power for the whole operation, nor is there people just giving up 8 hours of their day because they really really really want you to post yet another video of the Romanian countryside….The internet costs money. Now…where was I before that reality check rant slipped out…oh yeah!

So, all your cookie, session key, and token does is say “hey service! This device, on this network route (by the way…when you’re away from home…how do you think your data stream finds your phone across the cell network as its changing locations constantly….might be an eye opener to look into…) is allowed to request and receive data from that account until further notice or the session key expires” And the service goes “Okay!” then sprays your client with message updates, turns a little icon green on all your friends clients, etc.

But how does the system know what messages are meant for which user? “My username of course!” …Usernames. You mean those messy things that can be like 3 characters to what, like 64 or something (another aside, what about the services that only log you in via email, or phone number, not username? …wait for it….youll see….), can contain all sorts of number letter and character combinations….and horror of horrors….if we (the service) store accounts based purely by their username then we would have to have a system exposed to the internet with a known easily searchable identifier!!!! We could get scraped by web spiders and search engines six ways from sunday!!!! DEAR GOD NO!!!!

Okay, that was a little dramatic, but hopefully you get my point from an information security stand point (and that phrase doesnt mean what you think it means….Its basically corporate double speak for not leaking information that would make data mining engagements (I dont want to call all scraping attempts attacks, but yeah, those) difficult and easy to spot on the system monitoring software the OPs teams use).

“OH FOR THE LOVE OF PLOP…Stop ranting and get to the point for fucks sake!!!” I hear you rightfully think quite loudly.

The much more efficient method of tracking unique entities accessing a network is with a UUID. You dont have to look very deep into a given services settings to find that variable in there somewhere. It stands for Unique User IDentification. Its usually some string of some standard length comprised of a seemingly random mix of letters, numbers and special characters, sometimes in some standard format (ie 10 characters, hyphen, 6 characters, hyphen, 8 characters, hyphen, 2 numbers, hyphen…..etc).Unlike the effectively impossible to predict email or known limitations of a username based system, this UUID is a standard bit length.

Which means it can be optimized for. Both in memory, in the databases, and across the entire data stream! And yes, when you are handling billions of user transactions a minute the tiniest improvement in processing to handle said transaction could save you seconds on the user facing side and millions in resources on the back end across the entire system. Hey, now that I think about it….It makes sense for them to encrypt and pad to a known length every transaction….that way every transaction has a known throughput load, just [sender] [receiver (could be a group ID containing IDs of those in the chat] [payload of consistent length]….almost like they planned it, and just market a common design feature as a user perk….weird…..

“….BUT…..WHAT…..ABOUT….” Shhhhhh there big fella, I got you baby. Dont worry, imma get them knowledge rocks off for you right now, just lay back and enjoy the magic of the innocuous and privacy eroding yet effectively inconsequential if you practice basic infosec like NOT USING YOUR REAL NAME ONLINE (FFS kids, the ToS is just text on a screen. Just because it says it requires you to use your real name doesnt mean the facebook police are going to kick your door in if you go by a pseudonym….stop making OSINT so damn easy just because they say you have to….There are no inherent safe places on the internet, anyone can get and account on any service and troll.

Get over it. And while you’re at it look up the old Rules of the Internet. Itll do a lot of you millennials some good…..but only if you were born with a sense of humor that can be juxtaposed with sobering fact…if you werent well Im sorry, but a ‘I want to speak to your manager’ haircut is in your future, friend…im so sorry…) …..shit, my bad. Got lost on another tangent. I know I know….cmon come back little buddy…..there we go. Okay, now lay back and open your mind to the magic of our modern world….

This UUID is linked to your account. Which shares an email with these other services. And hey look, the same adsense UUID accesses those shared accounts too! Ill bet is the same person. That same person, who uses those accounts, accessed by this useragent (a part of the client server hand shake that basically informs the server what the device is capable of supporting so the server can more efficiently deliver data the client can digest….except through user agent fingerprinting things like audio and video codecs, and installed fonts, which can be loaded and unloaded in the background to more uniquely track a user….do you know what fonts your phone is reporting it has? Have then ever changed? Are you sure? Are you REALLY sure?), and using this UUID with adsense…….OH! Look at that! That UUID was also part of a chat This separate account, UUID, and useragent was a part of…..And this second entities conversation included a number of keywords with a third UUID as they did with the first…..Ill bet 1 and 3 wanna be friends, lets add 1 and 3s UUID to their recommended friends list for that.

Thanks number two for showing us the potential content and revenue generating connections we otherwise would have never been able to infer by paying too close attention to the non-personally identifiable information of these two specific individuals! Who are logged into these accounts….on these specific phones….on these specific carriers….in these sepcific areas (and if you’re Google, near these specific access points, give or take a meter or so)….

But dont worry……The information they store is not personally identifiable. By the by, Its kind of funny how someone with such little understanding of the backend technology sector could also hold such a sycophantic admiration of the Elon ‘Paypal absorbed my payment tracking system, and then fired me of poor performance’ Musk…..Its okay, I understand. I dont hate you. But Im willing to bet you have a spicy opinion about me now, eh? Go on, hit me with it. Im honestly interested……(by the way, I also lie…sort of like Elon does)……