A New Use For JavaScript URLs…

I was just invited by a ‘friend’ to join a Facebook “free laptop” group whose real aim is to get you to take surveys.

Facebook have obviously decided not to have a “Select All” button on your list of friends when you share stuff, to try and reduce spamming. Here’s this group’s way around that, from their instructions:

3) After that, Click the ‘Invite People to Join’ link on the left hand side of the page. (Must do it, it’s part of how we can give these buttons away for free!)

4) Erase everything in your address bar… (The address bar is where http://www.facebook.com is typed, where you type in a website to go to.)

Then copy and paste the following code in there and hit ENTER.

javascript:elms=document.getElementById(‘friends’).getElementsByTagName(‘li’);for(var fid in elms){if(typeof elms[fid] === ‘object’){fs.click(elms[fid]);}}

5) Once you’ve done that, all of your friends in the box should turn BLUE, Click ‘Send Invitations’

So, how about a JS URL which creates form elements mimicing a Facebook login form, waits for them to autofill, and then posts the contents off to a server? (Or did we fix that?) Or one which inserts a <script> tag with a src at an attack site? If people get used to blindly following instructions like this, no good will come of it…

8 thoughts on “A New Use For JavaScript URLs…

  1. Seems a violation of the spirit of the Developer Principles and Policies, if not the letter:

    http://developers.facebook.com/policy/

    V.6. You must not pre-select more than one person to receive information through a Facebook communication channel.

    and obviously

    II.5. You must not circumvent our intended limitations on core Facebook features.

    Worth reporting?

  2. Keith: I guess so. I used the Report group link just now; the best category was “Advertisement/spam”. There wasn’t a category for “TOS violation”…

  3. I saw something similar like this, I guess it’s a new tactic going around. Seems like banning groups that list javascript: URLs in their instructions somewhere would be a good first start, although I’m sure enterprising spammers will work around that by putting them on external webpages or something. Just further proof that people will do almost anything if you promise them something for free.

  4. 1. Walk to your kitchen
    2. Open the drawer containing the cutlery and extract the biggest, sharpest knife you can find
    3. Aim the knife at your chest
    4. Stab. Stab. Stab. Stab.

    Adjust for “nearest firearm” where allowed.

    I don’t think there is a technical solution to people blindly following instructions they just know will end badly. I certainly hope you’re not proposing to remove (or hide by default) the address bar because people could paste dangerous things in it? Next thing you know, search engines will ask “are you sure you wanted to search for \”Help! Help! I’m trapped in a stupid machine!\””. They nearly already do that, don’t they?

    Is it time for the Fischer-Price computing age? All edges carefully dulled, all parts large enough to prevent choking?

    I think trying to protect people against copy/pasting stupid things is a losing battle. Remember the “Pledge of the Network Admin”?

  5. A lot of groups are doing this now. I’m sure someone will post a phishing scam in a javascript: link soon.

  6. Is there any good reason why javascript pasted into the address bar should have access to the document currently displayed in that window? Is there any good reason that javascript pasted into the address bar should work at all?

  7. > Is it time for the Fischer-Price computing age?

    We already arrived there a few years ago when someone decided that if users type something other than a URL in the address bar, instead of a “that is not a valid address” error message, they should get search results automatically. (I still think this is a bad idea. Search terms are not the same thing as an address and should not work like one.)

    And yeah, if you put a URL into the search box on most search engines, the site you would have gone to if you’d put it into the address bar is generally the first result. My mom does this all the time, on purpose. She says it’s easier to type the address into the search box than the address bar, because of bifocals. Personally, I think the search engine should only return results that contain the stuff the user typed (even if it is a URL) in the actual text of the page. But no.

    But yeah, regarding the script URL typed in the address bar, I agree with Philip Paeps. As long as there’s no way for content or script on the page to insert anything into the address bar automatically, so that anything in there is known to have been typed or pasted by the user, I don’t see a technical problem. Yes, users could type or paste something they shouldn’t, but that’s always going to be the case.

    If Javascript URLs didn’t work, the instructions could give the users a traditional http URL at another site to paste into the box and tell them to enter their MyBook username and password in the form there and submit it. Then the foreign site takes the username and password and either does something clever with WWW::Mechanize or maybe just pays somebody in Nigeria four cents an hour to log into FaceSpace and retweet the spam manually to all the original user’s peeps.

    With the script URL, at least the user *theoretically* has the option to read the code and know what the script does before pasting it, if the user knows the scripting language. (Granted, approximately 0% of MySpace users know Javascript.)

  8. [quote]
    > Is it time for the Fischer-Price computing age?

    We already arrived there a few years ago when someone decided that if users type something other than a URL in the address bar, instead of a “that is not a valid address” error message, they should get search results automatically. (I still think this is a bad idea. Search terms are not the same thing as an address and should not work like one.)
    [quote]

    I agree that the address bar should not show search results. Pretty much every time you search Google you see ads, so I would assume that this whole “address bar / search bar” is more or less for companies like Google to get more ads views.

    I do think that address bars can be used for more though, such as JS.

    The thing is, you have been able to run JavaScript from the address bar for a long time. In fact, I am sure you can do javascript:document.write(“tough luck”); or similar in any of the browsers. If you have the firebug plugin for Fire Fox then you could write anything right into the document. You could also use a bot of sorts….if all it has to do is be logged in then send post or get info or handle JS injections, CURL would handle it just fine.

    The problem isn’t weather or not we can type in the address bar because we can always do things like run illegitimate JavaScript on a page, and we always will because of the nature of how it works (in the browser!). The best part about the address bar is that you CAN run anything from it. “My Computer” for Windows 95 – 2000 can all interpret and browse web sites, follow links and run JS right there, My Computer IS a browser! A lot of that might of had something to do with how Microsoft integrated IE into the OS, but there was freedom of choice with it. I remember back in 6th Grade, computers we locked down, could not browse my computer, and could not use the start bar and a bunch of lame stuff – I used Internet Explorer to browse the computer and I could still run programs from it as well – or download them and run them from the desktop!

    Client Side vs Server Side languages:
    The natural progression of security has taken us a LONG way, For instance: I can write a log-in script that disables itself for 15 minutes after 5 failed login attempts. Because the code that controls this is on the server and not JS running in the users browser, it can not be “hacked” unless I write bad code.

    So my take on what needs to be done…The address bar, if one should choose a life of freedom, should be able to run or execute ANYTHING. I should be able to:

    *Run locally stored scripts or programs
    *SSH & FTP to web server
    *Send short one line emails or text messages
    *Visit websites and all that (duh)
    *Set system and program wide settings or configuration for any program.
    etc…