- From: Luke Hutchison <luke.hutch@mit.edu>
- Date: Thu, 22 Jul 2010 16:32:39 -0400
There has been a?spate of facebook viruses in the last few months that have exploited social engineering and the ability to paste arbitrary javascript into the addressbar of all major browsers to propagate themselves. Typically these show up as Facebook fan pages with an eye-catching title that ask you to copy/paste a piece of javascript into the addressbar to show whatever the title is talking about. However doing so scrapes your facebook friends list, and the virus mails itself to all your fb friends. Frequently these viruses will redirect to a legit-looking page after propagating themselves, so the user doesn't know they have been duped until one of their friends ask why they sent out the link. In most cases nobody says anything because it looks like a legitimate shared link (and there's so much junk shared on facebook anyway that nobody can tell the difference!) -- as a result these viruses have been wildly successful, accumulating tens of thousands of "Like"s before anybody even reports the page as spam. An example: http://code.google.com/p/chromium/issues/detail?id=44796 There is no legitimate reason that non-developers would need to paste "javascript:" URLs into the addressbar, and the ability to do so should be disabled by default on all browsers. (Of course this would not affect the ability of browsers to successfully click on javascript links.) The above bug report was closed with the following suggestion: "to get traction on this, I'd suggest looping in other browser vendors. The WHATWG list might be appropriate. These sorts of changes work best when all browser vendors move in unison." Comments, please? -- Luke Hutchison
Received on Thursday, 22 July 2010 13:32:39 UTC