{"id":31950,"date":"2021-03-22T15:49:10","date_gmt":"2021-03-22T19:49:10","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=31950"},"modified":"2021-03-23T14:56:55","modified_gmt":"2021-03-23T18:56:55","slug":"backblaze-b2-leaks-metadata-to-facebook","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/03\/22\/backblaze-b2-leaks-metadata-to-facebook\/","title":{"rendered":"Backblaze B2 Leaks Metadata to Facebook"},"content":{"rendered":"

Ben Cox<\/a> (Hacker News<\/a>):<\/p>\n

@backblaze’s B2 web UI seems to submit all of the names and sizes of my files in my B2 bucket to facebook. I noticed because I saw “waiting for facebook.com” at the bottom while trying to download a backup…<\/p>

?!?!?!?<\/p>

I even opted out of their tracking widget thing!<\/p><\/blockquote>\n\n

Backblaze<\/a>:<\/p>\n

\n

Believe that’s the Facebook pixel we use for tracking, we’ve forwarded to our web team for review in case that is not intended behavior.<\/p>\n

[…]<\/p>\n

An update on the fix we pushed: we removed the offending code from the logged in web pages.<\/p>\n

[…]<\/p>\n

The pixels we use are primarily for audience building when we advertise on other platforms like Facebook for example. You can read about it in our terms<\/a>[…]<\/p>\n<\/blockquote>\n\n

Adam Brown<\/a>:<\/p>\n

The “Advertising Cookies” section says that you don’t use them. Then in the FB section, you say that it’s so people can easily share pages and content the user finds interesting. Then you slip in a catch-all “we may use it for advertising”.<\/p><\/blockquote>\n\n

Tomáš Kafka<\/a>:<\/p>\n

I hope you realise this isn’t a ‘frontend issue’, but a security breach. As a customer with sensitive data, I don’t want you ‘pushing a fix’, I want you to do a full review of how this happened, and a process to not let 3rd party trackers access user data ever again.<\/p><\/blockquote>\n\n

Colin Snover<\/a>:<\/p>\n

\n

Regrettably, this is just another example of Backblaze’s inability\/unwillingness to follow basic software development best practices. To those saying “they should notify all users”: they should, and they probably won’t, because they haven’t before.<\/p>\n<\/blockquote>\n\n

There is a long history of engineering problems. Just one example: it seems to still be the case<\/a> that the Backblaze client reports files as successfully backed up as many as eight hours before<\/em> they are actually committed to the server. If something happens to your Mac in the interim, you won’t be able to restore them.<\/p>\n\n

Previously:<\/p>\n