I’m Rameerez, the creator of digital startups like Hustl or Edit that are used by people in companies like Google, Uber, Adobe and thousands of people around the globe. I’m now working on Guard, an AI that fights for your digital privacy. Follow me on social for behind the scenes updates!

Spamming on Facebook: advanced techniques

Apr 26, 2016  ·  2 min read

Just kidding, it’s not advanced. It couldn’t be more freaking far from fine engineering. But hey, it works. They have discovered a new “security flaw” (not really, more like a “out of my jurisdiction” scenario), and they’re exploiting it to spam on your Facebook profile.

Or maybe not yours, if you’re sharp enough, but I’ve been seeing stuff like this on my timeline for a few months:

I’ve only seen it in Spanish posts, so translations will be provided

Hmm, that’s weird. That person wouldn’t ever comment “lovely”, much less on a post like this one. Let’s see what is it.

Shameless plug

On a side note, do you usually work with websites?

I made Edit, a Chrome extension that makes any website instantly editable with a single click – 100% live, no code required.

Thousands of users in 165+ countries around the world, among cool people at these amazing companies are already using some of my products

And just because you're already a reader of my blog, you can click here to get it now with a huge discount!

That's it, sorry for the shameless plug. Back to the post!


What? Why should I prove I’m a human to enter a stupid blog post? There’s something smelly about this site.


And no, it’s not only that they didn’t even have the decency to remove the default WordPress tagline. Let’s check the full URL, what’s that thing at the end?


That’s definitely smelly. So, a “regular” blog post URL should look like this:


Or something along these lines. What we find at the end here is two parameters the URL is carrying, additional info that the site is using. More precisely:

fb_action_ids = some id
fb_action_types = og.comments

Basically, it suggests that the Facebook user/app to which belongs that “action ID” is trying to submit an action of type “comments”. Wat.

Let’s inspect that smelly “human verification” text box…


Just what I was expecting. That’s no human verification form. That is an iframe, an external resource embedded in the website. And it seems to be from some “Facebook Social Plugin”. And a log message in the JavaScript console log, indicating they have some kind of visit tracking system. Shoddy work here.

In a nutshell: they have disguised a Facebook Comments box as a humanity verification box: when you click “Enter”, you actually submit that comment on that post using your Facebook account.

What happens next is that Facebook tracks that activity and automatically post it on your friends’ timeline. What struck me the most is that it leaves no track on your FB Activity Log.


So, no way of deleting the comment I just posted. Profit for the spammer, shame for Facebook.

And that’s pretty much it. The reason I do this is because I strongly believe that running a “business” based on fooling and tricking your users/customers is just fucking not okay. It’s rotten, unfair and shows an absolute lack of a winner mentality (apart from being probably illegal, morally questionable, non profitable and an endless list of nice things to describe it)

Plus, as any other “security flaw”, I just wanted to uncover it so users can be aware of it, not only malicious people, and therefore protect against it. Hopefully even Facebook notices it and fixes it.

Be careful, intrepid Facebook users. Not everything is as it seems out there.


PS: Pro tip, run a whois query on the domain name, you’ll even get the personal number of the guy running that shit.

Oh, and by the way!

I'm most active on Twitter and Instagram – follow me to stay in the loop.

But if you really wanna be above the average, join "The Hidden Report", my newsletter, and get my stuff delivered directly to your inbox. You'll be the first one to know about private betas, free early releases, exclusive discounts, behind-the-scenes stories and future launches!

Btw – no, I won't send spam, why would I do that. Plus, you can obviously unsubscribe anytime with a single click.

As a quick reminder – I'm Rameerez, an indie software developer that's making cool stuff like Hustl or Edit used by people all around the world in 165+ countries, among cool people at companies like Google, Uber or Adobe. My work has been featured in media like Fast Company, Vox, The Next Web...

If you liked this post, make sure to follow me on social, subscribe to the newsletter and share this! You can also hire me for your project.

Support my work:

Leave a Reply