I’m Rameerez, the creator of digital startups (like Hustl or Wakefy) that are used by companies like Uber, Adobe and thousands of people around the globe. I’m now working on Guard, an AI that fights for your digital privacy. Follow me on Twitter and Instagram to stay up to date and see behind the scenes!

Spamming on Facebook: advanced techniques

Apr 26, 2016  ·  2 min read

Just kidding, it’s not advanced. It couldn’t be more freaking far from fine engineering. But hey, it works. They have discovered a new “security flaw” (not really, more like a “out of my jurisdiction” scenario), and they’re exploiting it to spam on your Facebook profile.

Or maybe not yours, if you’re sharp enough, but I’ve been seeing stuff like this on my timeline for a few months:

I’ve only seen it in Spanish posts, so translations will be provided

Hmm, that’s weird. That person wouldn’t ever comment “lovely”, much less on a post like this one. Let’s see what is it.


What? Why should I prove I’m a human to enter a stupid blog post? There’s something smelly about this site.


And no, it’s not only that they didn’t even have the decency to remove the default WordPress tagline. Let’s check the full URL, what’s that thing at the end?


That’s definitely smelly. So, a “regular” blog post URL should look like this:


Or something along these lines. What we find at the end here is two parameters the URL is carrying, additional info that the site is using. More precisely:

fb_action_ids = some id
fb_action_types = og.comments

Basically, it suggests that the Facebook user/app to which belongs that “action ID” is trying to submit an action of type “comments”. Wat.

Let’s inspect that smelly “human verification” text box…


Just what I was expecting. That’s no human verification form. That is an iframe, an external resource embedded in the website. And it seems to be from some “Facebook Social Plugin”. And a log message in the JavaScript console log, indicating they have some kind of visit tracking system. Shoddy work here.

In a nutshell: they have disguised a Facebook Comments box as a humanity verification box: when you click “Enter”, you actually submit that comment on that post using your Facebook account.

What happens next is that Facebook tracks that activity and automatically post it on your friends’ timeline. What struck me the most is that it leaves no track on your FB Activity Log.


So, no way of deleting the comment I just posted. Profit for the spammer, shame for Facebook.

And that’s pretty much it. The reason I do this is because I strongly believe that running a “business” based on fooling and tricking your users/customers is just fucking not okay. It’s rotten, unfair and shows an absolute lack of a winner mentality (apart from being probably illegal, morally questionable, non profitable and an endless list of nice things to describe it)

Plus, as any other “security flaw”, I just wanted to uncover it so users can be aware of it, not only malicious people, and therefore protect against it. Hopefully even Facebook notices it and fixes it.

Be careful, intrepid Facebook users. Not everything is as it seems out there.


PS: Pro tip, run a whois query on the domain name, you’ll even get the personal number of the guy running that shit.

Oh, and by the way!

I'm most active on Twitter and Instagram – follow me to stay in the loop.

But if you really wanna keep up to date with my new posts and public launches and all that stuff, please consider subscribing for free to "The Secret Report", the newsletter in which once a month I share early announcements along with non-public figures, updates and behind the scenes:

Btw – no, I won't send spam, why would I do that. Plus, you can obviously unsubscribe anytime with a single click.