Friday, May 21, 2010

Long Facebook "Page" Names: What Are They?

Yesterday I began to notice what appeared to be fan pages with extremely long names that people had "liked" scattered throughout my news feed.. Now, I refrained from clicking the "like" button next to them, but many of my friends did not. After the jump is an explanation of what exactly these are, and why I believe they could be a problem.


At first, I, and many others believed these to just be fan or community pages that had just been created with very long names. This thought bothered me, because it seemed to have first shown up on my news feed yesterday, and I was curious as to why such long page names had never appeared before. Something about being able to create such a long page name felt like a potential avenue for abuse, and the possibility of crafting one that could cause problems for users (i.e. crafting it to contain you malicious code). These issues have been found all over the web, where websites do not properly sanitize user input (allowing people to put code in places they shouldn't put code).


The issue seemed even worse to me when several people told me that when they clicked on the long names and instead of being sent to a page on the Facebook site, they were sent directly out to the web without warning. Many told me they had clicked "like" on Facebook, then changed their minds and wanted to "unlike" the page, so they clicked the link and were unable to do so since they were not faced with what they expected.


So, what exactly is going on here? Has Facebook allowed people to insert HTML code into their page names? Is there a new page setting so that it will send you directly to a page's official website?


The answer to these questions is no. What appear to be "fan pages" on our news feeds are not fan pages at all. After digging into this potential problem, I've found that these things are in fact people clicking Facebook's new "like button for the web" when on outside websites. When this new feature for content creators was first introduced, many privacy advocates took issue with it from the start, because this allowed for the possibility of Facebook seeing more closely see what their users were doing around the web, and tie it all back to Facebook for advertising or any other purpose.


So, the problem isn't people crafting special page names to send you to outside websites, it is just not a page on Facebook at all. The problem remains, however, that these links do not give you the traditional warning message that the link you've clicked will take you to a site not run by Facebook. I still believe that this can, and will, lead to abuse, as I have not seen any documentation on Facebook policing these links.


I have no doubt that if people complained to Facebook that a page was sending people to a phishing site or malware they would remove the offending links and blacklist it (no documentation I've found yet on whether sites can be blacklisted from using the "like" button), but it seems that it could run until someone complains, leaving anyone who falls victim before the complaints to suffer the consequences.


Now, on my news feed, the majority of these links led to the GivesMeHope and OMG Facts websites, and the url shown when the links were hovered over clearly showed this, but I know that not everyone will check the url before they click the link, because we all like to assume that we aren't being sent somewhere malicious. Since it has been shown time and time again that the internet actually does have people with bad intentions on it, I really do see this as a potential vector for abuse, and I believe Facebook should take some measures to help protect their users from this, before it becomes a problem.

Update: I have contacted Facebook regarding the potential issues with this "feature."
Update 2: Just read XKCD's comic for today, thought it fit pretty nicely.  Find it here
Update 3:  Facebook just got back to my e-mail.  Here is their reply:
Hi John,

Thanks for your email. We are sorry to hear that you are experiencing these issues with our site. Unfortunately, we do not offer functionality or technical support from this email alias. Please refer to our Help Center for answers to common questions, solutions to technical issues, and feedback from other Facebook users. You can reach the Help Center (
http://www.facebook.com/help.php) by selecting "Help" at the bottom of any Facebook page.

Thanks for contacting Facebook,

Guy
User Operations
Facebook
Facebook fail

Links:
Facebook's Official "Like" Button Documentation

PCWorld Article "Facebook's 'Like' Button: What We Know So Far"

3 comments:

  1. Nicely explained, and you are right, external links on Facebook are a disaster waiting to happen. Not a safe place to play for grandma any more.

    ReplyDelete
  2. Hey john, good writeup. I was thinking about the spread of this and other facebook hacks. I think a good proof of concept phishing site needs to get popular before facebook will react to this. Maybe we should make one and show it off at defcon haha

    ReplyDelete
  3. Did you contact the "help center"?

    ReplyDelete