Jul. 26, 2010

Posted by in Facebook | 6 comments

Spam via Facebook Events Highlights Ongoing Challenges

Earlier today, I received an invitation to a Facebook event from “Giovanna” – someone I’d never heard of and certainly never added as a friend. The invite came as a bit of a surprise, since my profile was fairly locked down. While anyone could search for it, all profile information was set to “Friends Only,” and sending messages or making friend requests was limited to “Friends of Friends.” None of my friends seem to know Giovanna, and her profile is probably fake anyway.

The event title proclaimed “iPhone Testers Needed!” and might be enticing to users who want an iPhone. While the event page included more information on the supposed testing program, the invite was followed by a message from the event creator. Once you’re on the guest list for a Facebook event, the event administrators can send out Facebook messages you’ll receive, regardless of privacy settings. This particular message (which also arrived in my e-mail inbox due to notifications settings) included a link to the iPhone opportunity, which unsurprisingly was a typical “offer” page that required me to submit personal information and try out some service before I could get my fancy new phone.

I began investigating how this all happened. When you create a Facebook event and try to invite people, you’ll only see a list of your friends to choose from. But it turns out that on the backend, nothing prevents you from submitting requests directly to Facebook with other people’s Facebook IDs. In my testing, I’ve been able to send event invitations to other users even if we’re not friends and they have tight privacy settings. I’m guessing that using this technique to invite more than a few people could raise a spam alert, but I’m not sure. Also, an event invitation does not give the event creator increased access to any profile information of guests, but as already noted, it does let event administrators send messages to people they might otherwise not be able to contact.

I’m sure Facebook will take action soon to clamp down on this particular loophole, so I think it unlikely we’ll see it exploited too widely. (The iPhone testing event currently has around 1800 guests – significant, but tiny compared to other Facebook scams.) But it does demonstrate the sort of challenges Facebook is having to handle as their network and power expand. Several years ago, when the site was used for little besides keeping in touch with college classmates and other offline friends, Facebook was seen as mostly spam-free, in contrast to services like Myspace. Now that applications, social gaming friends, and corporate brands have all become integral parts of the Facebook experience, black hat marketers keep finding new ways to spread links among users. And worse, those tricks can often be used to spread malware as well.

I do think that Facebook wants to avoid annoying users with spam, and works to prevent your inbox on the site from becoming as flooded as a typical e-mail account. But a network of 500 million people presents a very enticing target, and we’ll keep seeing new scam ideas pop up as Facebook expands and adds features. In the mean time, continue to be wary of any links  promising a glamorous reward for free.

  1. Aishwara Joshi says:

    please please help me. i am in a big trouble.someone has created my fake account on facebook and i need to hack it.I beg i need help

  2. Aishwara Joshi says:

    Someone please help.A person has created my fake account on facebook and I need to hack it. please i beg help

  3. What’s troubling about this story are the comments that users have posted. There is a problem here, and it has to do with the fact that everybody’s face is on the web, and when you have a username that’s listed in a URL, you’re able to physically identify people. And that’s all you need to get the ball rolling on surveillance. If you wanted a conspiracy theory, you can wonder all day about how it is the United States government got 10% of the world to contribute to its CIA database of personal profiles that isn’t as much about what’s actually listed, but the relationships between what’s listed, what’s publicly available, and what’s kept private. The actual information is almost beside the point; the real gold is in the relationships between the decisions that’s made, the patterns about those decisions that makes for real signatures. Facebook is 500 million users and growing fast. If it’s not the first sole site to hit the 1 billion user mark, it’ll be the next biggest thing, but it’s bound to happen. Is that good or bad? Remember, there is no neutral.

  4. Thanks for providing this information because lots of people are using facebook and don’t know about this spam event program. Next time when I’m going to check my inbox I will surely remember about this.

  5. I hate Facebook.. It has created so many security exploits its unbelievable.

  6. This is ho a few Hungarian spammer companies do it (I guess it’s not a local invention): you get an invite to an ‘event’ which is usually a promotion. Say you can win a weekend at a hotel or something.

    The event page says that you have to click a link and then press like on the promotion page. Now the link you click is a FB app. The app page says again that you’ll have to click the like button but before that you click ‘here’. And when you click there you’re subscribing the application. You’ll see the standard FB permission request page. It asks for personal info and permission to manage your events. But since you’ve been told that you’ll have to like their page (nice social engineering) you see this very important step as an annoyance and click the more prominent of the two buttons: Accept. This is when you spam all your friends. The app will send out an invite to all your friends that you have invited them to this ‘event’.

    Some of my more tech savvy friends have recognized this and frightened their friends with deletion if they do this again. However these guys didn’t know that their friends weren’t the one spamming, they just giving access irresponsibly to an application.


  1. Tweets that mention Spam via Facebook Events Highlights Ongoing Challenges | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by Social Hacking and novainfosec, SmediaC. SmediaC said: Spam via Facebook Events Highlights ...
  2. Spam via Facebook Events Highlights Ongoing Challenges | Social … | www.erasedmail.com - [...] here to read the rest: Spam via Facebook Events Highlights Ongoing Challenges | Social … 500-million, avoid-annoying, ...
  3. RealTime - Questions: "IF I DELETE A FRIEND OFF FACEBOOK...WILL THEY KNOW?" - [...] [...]

Leave a Reply