Jun. 11, 2009

Posted by in Facebook, General | No comments

More Problems with Facebook Platform Ads

Yesterday, I posted a few updates on problematic ads in Facebook applications, and stated that despite a ban, SocialReach was still showing ads.  Today, AllFacebook followed up on comments and got word from SocialReach claiming they were still banned, but SocialCash was imitating their ads.  SocialCash maintained they were abiding by the Facebook TOS.

And so the plot thickens.  I made my update yesterday after still seeing network traffic from socialreach.com.  After further checks today, I’m still seeing content loaded from ads.socialreach.com that is setting cookies for socialreach.com and making REST API calls to Facebook using application session information.  I’m also still seeing content from SocialHour that is similarly storing and requesting information.

Further investigation, though, revealed why this was happening.  SocialReach and SocialHour ads were not actually appearing on an application page.  The application page’s source code revealed that it was loading three hidden iframes: one for SocialCash, one for SocialReach, and one for SocialHour.  Each of these iframes loaded pages that were actually hosted on the domain of the application itself, but they then made calls to the ad network domains that allowed the ad networks to access profile information and set cookies.

The FQL queries submitted by SocialCash to the REST API are extremely similar to the three examples I posted previously from SocialReach.  SocialCash then uses not only names and pictures of friends in advertisements, but in one example, dates of birth.  The AdMazing iframe currently used for displaying ads in the application often loads SocialCash ads, so they do actually appear to users.

Furthmore, another network, LockedOn, also publishes ads with friends’ profile pictures, though I’m not entirely sure how it accesses them.  (Ads vary on refresh, so it can be hit or miss finding and examining particular ones can be difficult.)  However it finds them, once it has them, it stores the information in a cookie for ads.lockedonmedia.com.  This ad was also loaded via the AdMazing iframe that actually displays in the application.

And as I’ve mentioned before, profile information is still being sent in the URL of AdMazing ads.

All of the examples in this post came from We’re Related, a Facebook Verified Application.

Leave a Reply