I see little red icon pop up in my notification bar. I click. Spam. Bummer. Just another day on the Internet.
The Internet as a deli
Server-side programming
The sandwich makes grabs the bread, cheese, veggies, and condiments and puts them together, much like a web server grabs pictures, text and links and assembles them into a webpage for you.
Client-side programming
Maybe you don’t like pickles. Instead of ordering a new sandwich, you ask for spinach to replace, and the sandwich maker hands it to you. It ends up being a lot less work for the sandwich maker – they didn’t have to make an entirely new sandwich. This is called AJAX – the client (you) asks for only a small piece of content to switch out, saving work for everyone.
But seriously, why do we have these spammy exploits rolling through our newsfeeds? I’ve seen two different ones in the past week or so. From a tech standpoint, they’re pretty nifty, but the security implications are, obviously, far from positive. I’m no expert, but here’s a little of my insight into what’s going on.
Here’s the wall post I got: (name and profile picture removed)
The “==VERIFY MY ACCOUNT==” link is not a normal link. Instead, it’s a JavaScript bookmarklet. Bookmarklets execute third party code in the page, normally to add features from other sites, such as Instapaper for bookmarking.
@@ JavaScript is a client-side programming language. (Read: it’s code that runs in your browser.) The compliment is server-side code, which assembles the page that is sent to your computer. A lot of websites use JavaScript to modify the page after it’s downloaded, instead of downloading a new page entirely. When you see a page replace only part of a page, they’re using client-side scripting to do it (usually JavaScript). @@
Normally, only the website that sends you the page gets to put JavaScript in the page. If someone else could, they could control pieces of the page and access information. These exploits get around that restriction and inject code into your Facebook page. This usually takes a click on the offending piece of code. In this case, the “Verify My Account” link pulls in the attacker’s code and runs it.
Facebook uses this technology to do nearly everything – any code running on the page can pull your friends list, send a message, make a wall post, etc. It’s a very slick user experience, but it obviously has its issues.
I’m not sure if there’s anyway to prevent certain JavaScript from running (like these exploits) and keep the good stuff from Facebook running.
At the very least, it seems like they shouldn’t allow bookmarklets to get onto user pages.
While it looks like the piece of code isn’t doing anything too malicious, it could potentially access a lot of information.
If you’re curious, here’s the code that gets pulled in and does the spamming: