Just kidding, it’s not advanced. It couldn’t be more freaking far from fine engineering. But hey, it works. They have discovered a new “security flaw” (not really, more like a “out of my jurisdiction” scenario), and they’re exploiting it to spam on your Facebook profile.

Or maybe not yours, if you’re sharp enough, but I’ve been seeing stuff like this on my timeline for a few months:

fb-spam-post-blurred
I’ve only seen it in Spanish posts, so translations will be provided

Hmm, that’s weird. That person wouldn’t ever comment “lovely”, much less on a post like this one. Let’s see what is it.

fb-spam-human-verification.png

What? Why should I prove I’m a human to enter a stupid blog post? There’s something smelly about this site.

fb-spam-wp-tagline

And no, it’s not only that they didn’t even have the decency to remove the default WordPress tagline. Let’s check the full URL, what’s that thing at the end?

fb-spam-url-parameters.png

That’s definitely smelly. So, a “regular” blog post URL should look like this:

http://mygreatblog.com/whatever/post-title

Or something along these lines. What we find at the end here is two parameters the URL is carrying, additional info that the site is using. More precisely:

fb_action_ids = some id
fb_action_types = og.comments

Basically, it suggests that the Facebook user/app to which belongs that “action ID” is trying to submit an action of type “comments”. Wat.

Let’s inspect that smelly “human verification” text box…

fb-spam-iframe.png

Just what I was expecting. That’s no human verification form. That is an iframe, an external resource embedded in the website. And it seems to be from some “Facebook Social Plugin”. And a log message in the JavaScript console log, indicating they have some kind of visit tracking system. Shoddy work here.

In a nutshell: they have disguised a Facebook Comments box as a humanity verification box: when you click “Enter”, you actually submit that comment on that post using your Facebook account.

What happens next is that Facebook tracks that activity and automatically post it on your friends’ timeline. What struck me the most is that it leaves no track on your FB Activity Log.

Screen_Shot_2016-04-26_at_16_39_32

So, no way of deleting the comment I just posted. Profit for the spammer, shame for Facebook.

And that’s pretty much it. The reason I do this is because I strongly believe that running a “business” based on fooling and tricking your users/customers is just fucking not okay. It’s rotten, unfair and shows an absolute lack of a winner mentality (apart from being probably illegal, morally questionable, non profitable and an endless list of nice things to describe it)

Plus, as any other “security flaw”, I just wanted to uncover it so users can be aware of it, not only malicious people, and therefore protect against it. Hopefully even Facebook notices it and fixes it.

Be careful, intrepid Facebook users. Not everything is as it seems out there.


 

PS: Pro tip, run a whois query on the domain name, you’ll even get the personal number of the guy running that shit.

Oh, and by the way!

If you wanna keep up to date with my new posts and public launches and all that stuff (fuck, no, I won't send spam, why would I do that) please consider subscribing for free:

You can obviously unsubscribe anytime with a single click.

Comments

comments