I just saw a link on Facebook, that I somehow had to interact with – it featured a not-that-dressed girl and said “Wanna C Something Hot?”/”Want 2 C Something Hot?” or variations of this. Well, clicking the link sent to me to an external site featuring a single button and the same image urging me to click it. When clicked, I came to some porn site. But why would several of my friends post links to this site, which incidentally sent me to a porn site? Well, as I soon after saw on Facebook, I had just posted the same link on my wall for all my friends to see. How?
It is a “simple” case of “click-jacking” and the site tricks you to click a Facebook share button, but disguises this as some other button. Please read on for full description.
UPDATE 2009-12-2: “Press the button or dog dies”/”Push the button or this dog dies” (located at pressthebuttonordogdies.com, but don’t go there) is a new such site. The target website is “thisblogrules.com” and the measures used are a little different but all in all the same anyway.
Furthermore, I have used bit.ly for tracking how much these links have been used so far on Facebook – it is pretty inflicting: The “hot” girl has been shared almost 59,000 times and the poor dog has been shared 5,309 times as of this writing. You can see the direct stats from the Facebook link.getStats API here: Somthing Hot and Or Dog Dies
The original post looked like this (taken from my own feed):
The page it linked to was
http://3dvv.com/somethinghot/ (don’t go there, nothing to see) and looks like:
When you press the “button” you actually press this (opacity on iframe set to 1 instead of 0):
The trick here is, that they have used the layout of this page about sharing the link (safe to go to, just don’t actually press the share button): http://www.facebook.com/share.php?u=http://3dvv.com/somethinghot/. Then, they included this page inside an iframe that was offset the right amount negatively to the left and to the top, to leave just the share button visible in the corner here (no need to visit):
http://3dvv.com/somethinghot/ngr.php, which looks simply like:
If we on this page remove the constraints, we can see the whole bottom corner of the page like this:
Well, this is not all. In order not to have the page simply redirect to what facebook normally would after having shared a link, this page with only the share button visible is wrapped in another iframe, that steals the redirect Facebook creates and make their own redirect to the actual target (porn) site.
All in all, it is a very clever albeit strictly illegal way of using the Facebook sharing functionality for viral spamming purposes.
What can you as a user do about it? Nothing really. Only click on “links” on foreign pages that you know for sure are legitimate and that you trust that your friends really did post on their own. But it is pretty hard to protect against. It really is Facebook’s job to make sure this doesn’t happen.
Please share this with everyone!
Update 2009-11-24: Several sites report this as an example of CSRF/XSRF (Cross-Site Request Forgery) and most use this AVG blog post as source. Not that it really matters, but it is not XSRF – it is clickjacking. There is a slight difference, the main difference being, that the countermeasures are very different.
No related posts.