URLs redirect to spyware site - iphone

We are developing an app that makes posts on behalf of our users to Facebook. Within those posts, we want to put links to external (non-Facebook) websites.
Looking at the links in the status bar of the browser (usually Chrome), the correct URL is displayed. However, Facebook seems to wrap the actually-clicked link into some extra bells-and-whistles. Usually, this works correctly.
Sometimes, however, this URL wrapping ends up sending the click to a URL like:
http: //spywaresite.info/0/go.php?sid=2
(added space to make it non-browsable!) which generates Chromes severe warning message:
This happens very occasionally on Chrome, but very much more often in the iOS browser on the iPhone.
Does anyone have any pointers as to how to deal with this?
EDIT
For example, the URLs we put in the link is
http://www.example.com/some/full/path/somewhere
but the URL that actually gets clicked is:
http://platform.ak.fbcdn.net/www/app_full_proxy.php?app=374274329267054&v=1&size=z&cksum=fc1c17ed464a92bc53caae79e5413481&src=http%3A%2F%2Fwww.example.com%2Fsome%2Ffull%2Fpath%2Fsomewhere
There seems to be some JavaScript goodness in the page that unscrambles that and usually redirects correctly.
EDIT2
The links above are put on the image and the blue text to the right of the image in the screenshot below.
Mousing over the links (or the image) in the browser shows the correct link. Right-clicking on the link and selecting "Copy Link Address" gets the fbcdn.net link above (or one like it). Actually clicking on the link seems to set off some JavaScript processing of the fbcdn.net link into the right one... but sometimes that processing fails.

I'm not 100% sure what you're asking here, but i'll tell you what I know:- are you referring to this screen on Facebook?
(or rather, the variation of that screen which doesn't allow clickthrough?)
If you manually send a user to facebook.com/l.php?u=something they'll always see that message - it's a measure to prevent an open redirector
if your users are submitting such links, including the l.php link, you'll need to extract the destination URL (in the 'u' parameter)
If you're seeing the l.php URLs come back from the API this is probably a bug.
If links clicked on facebook.com end up on the screen it's because facebook have detected the link as suspicious (e.g. for URL redirector sites - the screen will allow clickthrough but warn the user first) or malicious/spammy (will not allow clickthrough)
In your app you won't be able to post links to the latter (an error will come back saying the URL is blocked), and the former may throw a captcha sometimes (if you're using the Feed dialog, this should be transparent to the app code, the user will enter the captcha and the dialog will return as normal)
If this isn't exactly what you were asking about please clarify and i'll update my answer

Rather than add to the question, I thought I'd put more details here.
It looks like the Facebook mention in the original title was mis-directed, so I've removed it.
We still haven't got to the bottom of the issue.
However, we used both Wireshark and Fiddler to look at the HTTP traffic between the Chrome browser (on the PC) and Facebook. Both showed that Facebook was returning the correct URL refresh.
Here's what Wireshark showed:
What we saw on Fiddler was that our server is issuing a redirect to the spywaresite.info site:
We are working with our ISP to figure out what is happening here.

Related

Facebook - click on a like button does not increase the like count

After searching the internet and doing my own research on this subject I still can not find the answer to my problem, so here it is.
When I click the like button (to like my website http://openarchitecture.cz) then the like count is not being increased.
Debugging the FB javascript code on client-side (in Chrome) and examining the ajax response
send back from FB servers after the click on "Like" button, revealed that FB is instructing the Like button to be "disconnected", resulting in the behaviour described below.
The term "disconnected" is a strict FB term (in a sense of a javascript code), it means that on client-side there will be used a "plugin" that will perform certain operations leading to "inactivity" of like button. Technically, when the plugin "disconnect" is beeing recognized as part of the ajax response, there is an array of predefind actions (functions) that will be followed and called sequentially.
Now for the reproducibility of the problem.
Go to http://developers.facebook.com/docs/reference/plugins/like and fill the "URL to Like" field with http://openarchitecture.cz
url.
Click "Get code", then click "Ok" on the pop-up and finally click "Like" button on the right.
The like count should increase. Instead a pop-up shows up for (aprox.) 1 sec.
then the popup disappears. Now I am in the same state as before I click the
like button, i.e. like count is not increased.
I have found similar questions here on SO, but none of them seems to finally
resolve the issue.
The related questions here on SO are:
1. http://facebook.stackoverflow.com/questions/5195183/facebook-like-button-flashing-on-then-off/12958474#12958474
2. Facebook Like button does not work on one website?
One of the suggestions was that this migth actually be a FB bug. I found a (very recently created) bug, reported in FB bug tracking system. The bug is located here:
http://developers.facebook.com/bugs/268340209965207?browse=search_512b8e0bed9724580954683
The bug has however "Low" priority an so far it does not seem to be resolved (it might even be returned as not a FB issue, I am not sure if this possibility is still open).
So for all interested in this.
Is this a real FB bug ?
How have you dealt with this ?
Could it be that my site is for some reason on FB spam/black/"whatever nasty" list ?
Well. This will end up like the other posts, i.e. no lesson learned here.
[The term "page" used later in this post represents the http://openarchitecture.cz page]
I just tried today to like the page again via the FB generated like button (on http://developers.facebook.com/docs/reference/plugins/like/ ) and the result is now ok. So the like count gets increased after clicking the like button.
The difference that I observed when checking the request exchange to FB servers is that this time the communication has been done (by default. i.e. using the XFBML version of the like button) over iframe, not direct ajax call (as was in the past for XFBML).
I dont know what was the cause (I tried the pure iframe version of like button before) but the response going back as a result of the mentioned iframe request is now correct, ie. FB sends back response instructing javascript in client browser to use "connect" plugin not "disconnect" plug-in.
One more thing. One month ago I have created a FB profile (http://www.facebook.com/pages/Openarchitecture/125515934292877) of the page and have done some updates to this profile. So maybe FB decided that the page (being referenced from FB profile) has now earned the provilige to be "liked".
Like I said at the beginning. Problem solved, but no lesson learned.
For me, the problem (Like popup disappearing after a second; "Plugin","disconnect" response) was happening when the Like button URL redirected to another URL.
The fix was to add og:type, og:url, and og:title (required per https://developers.facebook.com/docs/reference/opengraph/object-type/website), then running the URL through the Facebook debugger to clear the cache (https://developers.facebook.com/tools/debug).
More at https://stackoverflow.com/a/16597060/2391566 .

Facebook Like button doesn't show up anymore

I implemented the like-button on the page http://www.racket-center.de on every subpage of this site. I noticed that it didn't show up on every page so I tried different implementation-versions (html5, iframe etc) but it didn't work. If I remember correctly the more I tried the less pages the button appeared on.
Now the button doesn't show up anymore – not even within the wizard at http://developers.facebook.com/docs/reference/plugins/like/ You can try it yourself: if you enter the URL of the site + then change another option to get the wizard checking the url the like-button will disappear.
I tried to debug via the linter and fixed some minor warnings it complained (e.g. adjusting the og:image-size to fit 200x200px) but that didn't bring back the button.
I guess the page is kind of blacklisted but I don't know + if it was blacklisted I don't know why.
Does anybody have a clue what might be going on here or kind point me to any resource about fb's blacklists?
Would be nice to get some help.
Thx,
Michael

How to send a Facebook page as url using the Facebook send button?

I will try to explain a bit the context for my problem.
Context:
A while ago I started working on Facebook application. One of the requirements is to be included in a Facebook page as a tab. This application will contain on a page a send button in order to be able to make it more engaging with specific people, users of the application would choose on their own. The reason behind this is because the Facebook page containing the application is related to alcohol, and "liking" the application will get more audition and potential children. Another reason for using send button rather then other similar options from Facebook (like send dialog etc.) is because in Facebook documentation was stated that send button works on mobile devices and other options don't.
Problem:
My problem is related to the send button. What I need is to be able to completely configure the send button: url, image, title, description. I have research the open graph tags in order to be able to do this. Everything works fine if the page I want to be sent with the message is a website OUTSIDE Facebook. Once I started to use the url of a Facebook page (let's call it www.facebook.com/mycustompage), then the crawler takes the images, title, description from facebook.com ignoring the actual page and the produced message is not what I want.
I have searched a lot to better understand this limitation and could not find anything relevant.
The only article I could find as a potential solution was (and even this I had trouble finding):
Send button returning error codes, like button works fine
The above discussion is a workaround which I have already put in place but is not 100% what I want. The described workaround is about putting in the send button:
<div class="fb-send" data-href="http://www.mycustomdomain.com/og"></div>
a page that sniffs the user agent. In case the user agent is Facebook crawler to serve an html empty page just with the open graph tags, otherwise redirect to the desired URL - which in our case is the facebook page www.facebook.com/mycustompage.
The message produced contains:
the title which is a link to www.mycustomdomain.com/og which when
clicked opens a page in a new tab with the address
www.facebook.com/mycustompage - this is relatively ok
under the title I have a "sub-title" readonly text containing the domain of the link: www.mycustomdomain.com - THIS IS NOT OK since I don't want to share where I have hosted the application.
the image and the desired description - this is ok.
Conclusion:
What I want to know if there is a better way to do this rather than this workaround.
If not I would like to know how I can hide for the produced message the "sub-title" so that the hosted domain is not visible.

Why does Object debugger say my URL is a facebook URL and isn't "scrapable"

In trying to create an "object" page for my first facebook app, I've run into some difficulty. I followed Facebook's Open Graph Tutorial nearly exactly.
After creating an "object" html page with the appropriate <meta property="og:... tags I tried running the URL through the Debugger Tool as suggested in the tutorial but I'm given the following error:
"Facebook URLs aren't scrapable by this Debugger. Try your own."
This page is in the same directory on my company's linux box as the canvas page, and is certainly not a "Facebook URL". If it matters, I'm using an IP instead of a domain name: xx.x.x.xxx/app/obj.html
...
I continued the tutorial anyway, but ultimately it does not seem to want to post a new action/object (is this even right?). I did however manage to get something to work, as in the app timeline view I apparently actioned one of those objects a couple hours ago. I assume this happened when I was pasting curl POST commands into the terminal.
I'm pretty new to the whole open graph, and facebook APIs, etc., so I'm probably operating under false assumptions of some sort, and I've been all over trying different things, but this error seems pretty bizarre to me and I can't seem to resolve it.
UPDATE
I just took the object page and put it on my own personal shared hosting acct. The debugger worked (inexplicably) fine on it, but I couldn't go too far since it's a different domain than the one authorized by my app.
Make sure og:url inside your html page does not point to facebook.
Also, make sure to look at the open graph protocol page (to see you formatted the og tags correctly.
Also, make sure the page is accessible to everyone, not just yourself.
Without knowing the URL it's hard to be sure, but it's most likely that your URL is either including a og:url tag pointing to a facebook.com address, or a HTTP 301/302 redirect to Facebook instead

Silent failure loading page application in iframe over https

Problem
I have an application driving a tab on a client's page. The application works correctly if the user has not enabled FB's "secure browsing" feature. If attempting to view over HTTPS, the iframe doesn't even appear (no errors, no mixed-content warnings). When correctly loading over HTTP, the div with the id "pagelet_app_runner" has an iframe inserted into it and the application content is loaded inside there. Over HTTPS, this div remains empty and the iframe is not inserted into the page. There are no Javascript errors appearing in Firebug or Chrome's equivalent console.
Why I'm Asking Here
The host has a valid SSL certificate and there is no 'mixed content' at the URL in question. I can successfully view the content over HTTP or HTTPS by visiting the URL directly, and I can do the same by visiting apps.facebook.com/canvasURL/tabURL. It is only when attempting to view within a Page Tab that the HTTPS load fails as described above. My application is configured with both regular and secure canvas and tab URLs.
Attempted Debugging
I've recorded some sessions with Charles but since the iframe isn't being inserted into the page, I think I'm coming at the problem after it's already occured. I'm no Charles expert so happy to be corrected here.
Apache isn't seeing any request (in either regular or ssl logs) for the affected loads. non-SSL loads come through as expected in access_log.
Plea for Help
I'm out of ideas for debugging this. Does anybody have any suggestions? What really obvious and stupid mistake might I have made? :)
edit: nicer formatting
Your app canvas URL is https://skinnycomp.nextstudio.com.au/skinnycowcomps/ , which send 404 error to Facebook proxy (request is going through proxy when viewing app via tab), also when viewing your app via apps (https://apps.facebook.com/122381834451561/), again 404... maybe Facebook proxy is ignoring 404 and posting blank...
Try changing canvas URL to https://skinnycomp.nextstudio.com.au/skinnycowcomps/tab, also you can check if your app is accessed via page tab, in signed_request there should be page_id...
23:51:15.379[549ms][total 1667ms] Status: 404[Not Found]
GET https://skinnycomp.nextstudio.com.au/skinnycowcomps/
This is a real longshot since I'm sure you've triple checked all the settings, but the blank page can happen if an invalid url is specified in the Page Tab URL field in the app settings. Since it only happens on https, it would imply something specifically with the Secure Page Tab URL entry. It might be worth checking that again, and maybe even re-saving it or changing it to something else to see if it helps.
I was using relative URLs for the regular and secure tab URL fields. From memory relative URLs here were mandatory at some point in the past. It appears now that a relative URL will still work for HTTP but not for HTTPs. Fix: absolute URLs. Hopefully FB update their field validation to match what's required too.