Just kidding, it’s not advanced. It couldn’t be more freaking far from fine engineering. But hey, it works. They have discovered a new “security flaw” (not really, more like a “out of my jurisdiction” scenario), and they’re exploiting it to spam on your Facebook profile.
Or maybe not yours, if you’re sharp enough, but I’ve been seeing stuff like this on my timeline for a few months:
Hmm, that’s weird. That person wouldn’t ever comment “lovely”, much less on a post like this one. Let’s see what is it.Shameless plug
What? Why should I prove I’m a human to enter a stupid blog post? There’s something smelly about this site.
And no, it’s not only that they didn’t even have the decency to remove the default WordPress tagline. Let’s check the full URL, what’s that thing at the end?
That’s definitely smelly. So, a “regular” blog post URL should look like this:
Or something along these lines. What we find at the end here is two parameters the URL is carrying, additional info that the site is using. More precisely:
fb_action_ids = some id fb_action_types = og.comments
Basically, it suggests that the Facebook user/app to which belongs that “action ID” is trying to submit an action of type “comments”. Wat.
Let’s inspect that smelly “human verification” text box…
In a nutshell: they have disguised a Facebook Comments box as a humanity verification box: when you click “Enter”, you actually submit that comment on that post using your Facebook account.
What happens next is that Facebook tracks that activity and automatically post it on your friends’ timeline. What struck me the most is that it leaves no track on your FB Activity Log.
So, no way of deleting the comment I just posted. Profit for the spammer, shame for Facebook.
And that’s pretty much it. The reason I do this is because I strongly believe that running a “business” based on fooling and tricking your users/customers is just fucking not okay. It’s rotten, unfair and shows an absolute lack of a winner mentality (apart from being probably illegal, morally questionable, non profitable and an endless list of nice things to describe it)
Plus, as any other “security flaw”, I just wanted to uncover it so users can be aware of it, not only malicious people, and therefore protect against it. Hopefully even Facebook notices it and fixes it.
Be careful, intrepid Facebook users. Not everything is as it seems out there.
PS: Pro tip, run a whois query on the domain name, you’ll even get the personal number of the guy running that shit.