
Ingenious Hack by Facebook Spammers: Smoking Hot Bartenders - jgv
http://www.liquidrhymes.com/2010/08/25/smoking-hot-bartender-is-some-smoking-hot-facebook-spam/
======
ax0n
It's clickjacking. That was 2008. This is clickjacking with a like button. I
wrote about it in early June ( [http://www.h-i-r.net/2010/06/viral-like-
jacking-on-facebook....](http://www.h-i-r.net/2010/06/viral-like-jacking-on-
facebook.html) ) and it was already somewhat old-hat by then. In fact, I think
I covered the same technical details this person did.

It's not really ingenious. It's just scammy behavior and yet another fine
reason to run NoScript.

~~~
points
NoScript isn't a good solution and certainly not a scalable one - most people
don't want to browse without js.

It'd be better for browser makers to simply detect clickjacking and block it.

If an element isn't visible to the user (either partially visible or behind
other elements), that's probably a good sign it shouldn't be able to receive
user actions such as clicks. _Especially_ if it's an iframe.

I hope firefox+chrome do some work on this soon.

~~~
jrockway
NoScript is a specific Firefox extension, not general advice to turn off
Javascript. NoScript lets you whitelist trusted Javascript, so when you visit
that spam site, its Javascript doesn't run. Meanwhile, when you visit omg-
animated-lolcats-yay.com, you notice that the lolcats aren't omg-animated, so
you click one button to whitelist the Javascript, and then you get your omg-
animated-lolcats forever. Yay!

~~~
points
>> "so you click one button to whitelist the Javascript"

It's amazing how quickly 'click one button to be able to view this website'
would irritate the hell out of anyone.

It's certainly an option for geeks or security freakouts, but not really an
option for normal people.

Also how would a 'normal' person decide if a website is 'safe' to enable js or
not? If you're the kind of person fooled into clicking for 'hot bartenders'
and filling out a survey to get access, you're probably not able to decide if
you should enable js or not.

The solution isn't to shift responsibility to users, it's to fix the browser
flaws that allow clickjacking to happen.

The example given here should be a textbook easy to fix bug in browsers. It's
a browser issue which should be high priority.

An iframe which isn't visible to the user, should not be able to receive input
from the user.

~~~
SamReidHughes
> It's amazing how quickly 'click one button to be able to view this website'
> would irritate the hell out of anyone.

Back when I experimented with manually authorizing cookies on all websites I
visited, it was surprising how quickly the number of cookie prompts dropped to
near-zero. There really aren't that many websites that you visit.

~~~
farmerbuzz
What software did you use for this? I have tried a few cookie blocking
extensions for Firefox but haven't found a good one.

Also I notice you say "Back when I experimented.." -- was there a reason it
didn't work out in the end?

~~~
SamReidHughes
I was using Konqueror then. The experiment ended when I got another computer
or something.

------
patio11
tangentially related: I do not know if people have figured this out yet:
liking something gives them permission to write to your status feed. I think
after that gets widely understood people will be less promiscuous with the
thumbs up, because it will be associated with being spammed to heck.

I have done this to myself, incidentally, because I did not believe the doc
tha said it was possible.

 _If you include Open Graph tags on your Web page, your page becomes
equivalent to a Facebook page. This means when a user clicks a Like button on
your page, a connection is made between your page and the user. Your page will
appear in the "Likes and Interests" section of the user's profile, and you
have the ability to publish updates to the user. Your page will show up in
same places that Facebook pages show up around the site (e.g. search), and you
can target ads to people who like your content._

~~~
DanielBMarkham
Worse yet, if your friends like something or run an app, they can get to your
personal information because your friend has endorsed something.

This means either cutting your friends out of your private data, selecting
your friends based on their computer savvy, or being as vulnerable as the most
insecure of them.

I say again: Facebook is the devil. It's a brilliant platform that should
continue to grow for years. It uses your own friends to make you do things you
would not normally do (like join). As a platform it has no other goal than
total domination of the net.

~~~
kingsley_20
Simply liking something does not let a developer get access to your friend
list. You will have to give the app at least basic permission (aka
"run/install", which will share your friend names and uids) or extended
permissions will get you friend's feed, statuses,birthdays, contact details
etc. But extended perms have really poor conversions, so most spammers don't
go that far.

Only a matter of time before that gets clickjacked though.

------
jacquesm
Ever since a facebook widget showed the names of a bunch of people I know on
the right-hand side of an unrelated website I've stopped going there. I logged
out of facebook and I haven't logged in since then. I'd much prefer it if they
stayed within their 'boundaries of expected online territory', and to see them
popping up on sites that I normally visit but that I do not associate with
facebook at all was enough to push me over the edge.

I'm sure that plenty of people couldn't care less, but I think it's a creepy
thing.

------
tlrobinson
Clickjacking (the name of this exploit) is one reason many sites have frame-
busting JavaScript.

Of course the whole point of the Facebook "Like" button is to be embedded on
other websites, so frame busting is out of the question. I'm not sure if
there's a quick fix for this. Browsers need to disallow clicking of
transparent iframes.

------
abalashov
I got p0wned earlier today by the same sort of chat-bot/spam exploit I've been
seeing from some of my friends.

As a Chrome user on Linux, and a pretty much lifelong user of Linux on the
desktop, I am rather unaccustomed to being the victim of such exploits, so I
didn't immediately know what to do. This one appears to be purely browser/JS-
based and/or perhaps exploits some weakness in the Facebook API.

It started when a (presumably "infected") friend of mine posted on my wall. It
looked to be just text, but presumably contained a trigger for this exploit.
Anyway, within seconds, somehow, unbeknownst to me, I was apparently
initiating chat conversations with every friend who was online "asking," "Do
you have a second?" When they would reply "yes?", I would blast them with some
bullshit quiz/test site link, which I can only assume is a phishing farm.

Anyway, this continued relentlessly so long as I was logged into the site (and
possibly when I wasn't, never definitively established that) until it occurred
to me to change my Facebook account password, after which it - knock on wood -
seems to have stopped.

Does anyone have any idea how this exploit works? It caught me rather off-
guard because I expected that sort of thing to be the work of viruses and/or
malware on Windows. I would guess that my password was somehow phished out,
after which some foreign agent logged into the Facebook messenger as me
externally (quite possible to do, numerous IM clients now support the Facebook
messenger protocol) and went nuts, but I can't be sure.

~~~
lftl
It sounds like a script injection, but that would be a pretty big flaw in FB
and 1) Would spread pretty fast 2) Would be picked up by FB pretty quickly as
well.

------
po
We've seen this kind of scammy stuff before, where people overlay a
transparent div on top of another div. This is the first time that I've seen
them attach to the cursor and follow it around.

Other than keeping your browser logged out of facebook at all times, what's
the protection against this?

~~~
NathanKP
The only possible protection that I can think of would be for Facebook to
require confirmation when someone likes a page. Essentially it would redirect
the user to Facebook where they would see a page that says "Are you sure you
want to like ______?" Then, after they agreed, it would redirect them back to
the original site. However, this would be highly undesirable for people who
use the Facebook like button, because it could siphon away potentially
valuable visitors who appreciated the site enough to like it.

Another option might be for Facebook to ban likes on a domain basis. If a
domain is using spammy techniques like this then ban it from being liked by
anyone. Of course that means more overhead and moderation.

I don't think there is a good solution to this, only work arounds.

~~~
potatolicious
What about forcing embedding sites to load a FB JS file, such that a standard
Facebook confirm dialog pops up? This way the user doesn't navigate away from
the site but some level of confirmation is made.

~~~
pak
If the dialog pops up and is not within an <iframe>, then the page can
simulate a click on the confirm button. Even if the JS library uses an
<iframe>, it can always be reverse engineered to not use one, and the user
won't know because iframes are not obvious to the user. The way above, where a
new page is opened with the Facebook URL clearly displayed in the browser
address bar, is the only way for Facebook to ensure that likes are legit short
of putting CAPTCHA's next to the like buttons. Oh, and users never check the
address bar anyway.

~~~
lftl
I don't see how reverse engineering to not use an iframe would help.
Presumably Facebook would have some type of check on the iframed like page
that ensures that the request is actually coming from FB. How would an
attacker recreate an iframed page they don't have access to?

~~~
chopsueyar
Subdomains and DNS mods with a proxy?

------
barrkel
It's because of crap like this that I only browse sites like Facebook from a
secondary browser, Chrome in my case. On Firefox, I'm not even logged in to
Facebook, to minimize the amount they can learn about me with their Like
stuff.

~~~
tuacker
Likewise, I only check Facbeook on my phone. There are some exceptions but I
always use Incognito mode for those.

------
charlesju
The question I have is how do these guys plan to make money off this scam?
There doesn't seem to be any ads on this page or any affiliate pages.

~~~
charlesju
lol no one knows? that's fishy

------
novum
This has been a known vulnerability since at least July 13. Interactive demos:
<http://erickerr.com/like-clickjacking>

This would appear to be (among?) the first malicious use of the like-jacking
vulnerability.

~~~
jacquesm
If that matches your definition of malicious you've led a protected life
style!

------
ubernostrum
A few of these have been floating around for at least the past couple months.
One of my friends clicked through and ended up "liking" some picture of a
stupid tattoo, and earned an educational lecture from me as his reward.

------
doron
I actually clicked on the page, following my girlfriend Facebook.

But I was protected due to the ever useful Adblock extension. Probably the
best plugin out there, the easiest method to fire and forget about annoying
web elements.

~~~
shadowflit
Agree there! When the like button started spawning everywhere, I consulted the
internal annoy-o-meter and determined that the best solution would be to block
the button.

------
barryaustin
I avoid this by keeping my core apps in Chrome/Chromium and by browsing
everything else with Firefox+NoScript+ABP.

------
duck
And the slippery slope begins...

