Quit staring, it’s just a thumb.
Facebook has never been known for it’s safety. It is a site designed so that the least Internet savvy people out there can sign up and network with millions of other people, both those they know and those they don’t, with only a minimal amount of technical know-how required (ie. how to sign up, and how to browse). It is a giant playground filled with games and people to talk to from all over the world, luring in droves of people who, when they come, know nothing about “scareware”, or “phishing scams”, or even how to clean a virus from their machine if they get one. Sure, they’ve been told that if they visit porn sites they could very well get a virus, but hey, this is Facebook, everyone is on Facebook… it must be safe. The result is a gigantic community of gullible marks just waiting to be exploited or infected by scammers and hackers.
That is why a couple of years ago I wrote a post on how to prevent getting hacked on Facebook (as well as on Twitter or Myspace). I happen to have quite a few friends and family who are not highly knowledgeable when it comes to the Internet, and through talking to them I came to realize that some of the things I take for granted many people were just not aware of. In the article I went into depth on some of the very basics of Internet security, such as what is the address bar in the browser, and how you needed to be sure you were on the site you thought you were on. That one simple tip could have saved millions of victims of phishing scams, had they just known where to look. Now, some fucking moron developer employed by Mark Zuckerberg has gone and rendered that advice pretty much pointless, at least as far as Facebook is concerned.
For those of you who own WordPress blogs, you are probably aware that if you get hacked one of the biggest dangers to your readers is the iframe hack. For those of you who don’t, or who are not familiar with html, an iframe is an element on a webpage that allows you to embed a second webpage into it. It’s very common and a perfectly normal feature of the html language. Iframes in and of themselves are not dangerous. Google AdSense , when shown on a webpage other than Google, is in an iframe. The same goes for Facebook “Like” buttons. So when you visit a page that has either of those, you are visiting Google or Facebook at the same time. The important thing for webmasters to note is that you only ever embed iframes from sites you trust. The reason this is so crucial is because once you embed an iframe from a site other than your own, you have no control whatsoever over what content is served from that iframe to your visitors. None. Nadda. Zilch.
The reason that hackers like utilizing iframes for hacking is that it allows them to serve malicious code and viruses to people while they are visiting sites that they trust. If you are out there browsing some seedy sites and popups show up telling you to click on a link or that you might have a virus you are much less likely to believe it. It’s simple psychology, and your guard is already up. This is much less true if you are on a site you visit every single day with no problems.
Apparently I missed it when it happened, but a couple of months ago some genius programmer at Facebook decided to introduce a way for people to utilize iframes into Facebook Pages. I only found out about it myself when I discovered one of these pages yesterday. It was a link on a friend’s wall purporting to show pics of Osama bin Laden dead. I could tell right away that it was a scam, so I went to see just how potentially damaging it was. The first thing that struck me was that this was a page actually on Facebook itself, although it was giving instructions to enter in a series of keyboard commands, as if there were Javascript it was trying to get you to trigger. I moused around a bit, and realized there were some hidden forms on the page, which was really odd, so I went ahead and turned off all styles on the page. That’s what I saw what was going on. This is what the page looked like with normal styles turned on:
(click to enlarge)
Clicking that button then revealed these instructions:
What was not revealed, however, was the hidden <textarea> containing Javascript code that would then be fired if you did follow those instructions:
This causes a script to be injected from a domain owned by some hacker, themafiafamily.net, and it’s all downhill from there.
Of course, odds are pages like this won’t stay up for too long when they are created. There is a way to report them, and Facebook will eventually take them down once they investigate. However, there is no way to report them in a way that gets them dealt with in a timely manner. There is no “This page is hacking users” option. In fact, if you look at the “Like” counter on that page you can see that it had already hit over 109,000 people by the time I saw it, and who knows how many more before Facebook bothered to respond to the reports about it. Additionally, there is nothing stopping a hacker from running a legitimate page for a few weeks, attracting millions of people, and then deciding to hit them all with a virus afterwards.
The bottom line is that Facebook not addressing these issues and removing the ability to embed iframes borders on negligence. Currently the FTC goes after companies and organizations that do not adequately protect their user’s data:
Maybe they should start taking a look at companies that don’t adequately protect the actual users as well.
Thank you Michael,Excellent article
Facebook are taking way too long to sort out the security issues within their development framework, and based on what you say, not only are they NOT fixing it, but rather they are making it worse. It’s true that a lot of FB users are internet Newb’s, my parents are a prime example, I have to go to their house once a week and supervise their FB time, cos I just know they will get nailed. The FB dev team need to get off their collective fat asses and sort this shit the fuck out!
Facebook is the most relevant and common social networking now, even in a little kids knows about FB..
Thanks Michael, love your work. Pity FB is going so lowbrow, but then again…
Hi, thanks for explaining iframes and their potential dangers. I really hope that most of your readers aren’t going to be pressing Control-C and ALT-D when a random website tells them to, but I already know from dealing with my parents (and lots of people my own age, too) that you can’t assume any level of computer knowledge with the general public. This is really good to know. I guess I just wish I knew how we could all get together to educate people, get them to develop some common sense about these things. I mean, without making everybody scared to use Facebook?
Harlen
Facebook scares me. Between reading this and their face recognition feature, I think I’m staying away. It will be interesting to see what happens next with FB and China. – frederick sallaz
It’s true that a lot of FB users are internet Newb’s, my parents are a prime example, I have to go to their house once a week and supervise their FB time, cos I just know they will get nailed. I guess I just wish I knew how we could all get together to educate people, get them to develop some common sense about these things. I mean, without making everybody scared to use Facebook?Anyway, thank you for sharing this.