| Facebook Scams | |
Profile TrackersOne of the most popular scams on Facebook right now is the Profile Tracker scam, and why wouldn't it be? Who wouldn't want to know who's viewing their profile? Unfortunately, anything that claims it is a working profile tracker is lying because Facebook has made profile trackers technologically impossible. Spam Groups
Potential Profile Tracking Methods
There are several ways that a profile tracker could potentially work. Listed below are several methods. Hover over them to see how they COULD work, but why they DON'T work on Facebook.
Before diving into the technical side of the issue, there are some pretty easy ways to tell that a group promising a profile tracker, or anything else that Facebook does not give you, like a dislike button, probably doesn’t do what it promises, or at least makes you do more than you need to. One group I saw claimed that in order for the creator’s profile tracker to work, you first have to join the group, invite at least 200 friends to join the group, and add the creator as a friend in order for anything to happen. Then, you are promised that an e-mail will be sent to you with a link that gives you instructions on how to use the supposed tracker. What made it more suspicious was that no one was allowed to post to the group’s wall or create a group discussion, meaning if people figured out they were being tricked, there was no way of letting other people in the group knowing about it. Groups that require you to do things like the one mentioned above are simply SPAM. There is no way the creator of the group can track how many people you invite to their group and how many of them actually join, and there is no way they can set it up so that an e-mail is automatically sent to you once you do so. The only reason why they require you to join the group and then invite 200 other people is to get as many people to join the group as possible. They just want to see how many people they can trick into joining. Likewise, the requirement to add them as a friend is because they’re one of those people that thinks having thousands of Facebook friends they’ve never met in real life makes them cool or popular or something. They just want attention. However, tricking people into joining the group, inviting their friends, and adding the creator of the group doesn’t necessarily mean the thing they’re promising doesn’t work. It could be that it really does work, they just want to get something out of it. However, this simply is not the case with the profile tracker. ApplicationsThere are only a few ways a profile tracker could actually work, and to my knowledge, the methods either don’t work or have been prevented from working by Facebook. An example of a method that didn’t work was the Trakzor application. The app could tell you who viewed your profile, but only if the other person also had the Trakzor application installed. Therefore, the only way it could be useful in any way is if lots of people added it, which didn’t happen. Besides, if it only works if both people have it installed, that means that if you add it, then other people with it can see when YOU visit THEIR profiles. Knowing that, why would anyone add it? I recently tried searching for it to see if anyone still used it, but it didn’t show up in the search results. I’m guessing the creator abandoned it or it was removed by Facebook. Cross-Site Scripting (XSS)The other two ways (that I know) of tracking profile views both use a method called Cross-Site Scripting, or XSS for short. This involves embedding JavaScript into your profile page, so that any time someone views your page, the JavaScript can read the information that Facebook has stored on that person’s browser (inside something called a “cookie”) and then give that information to a different website that can then process the information. Cookies generally contain some way of identifying a user, so if you were able to embed JavaScript into your profile page that could read the contents of another person’s cookie, it’s possible you could use that information to identify whoever is viewing your page.
Why not just try it?
While reading about why none of these supposed profile trackers work, you may be thinking, "There's no harm in trying these things out. There could easily be a way to make a profile tracker that the writer of this article doesn't know about." While it may be true that I don't know everything there is to know about trying to make something like a profile tracker, trying these things out anyway generally isn't a good idea. At the very least, they will end up being a waste of time. At the worst, you could get your profile hacked. Check out the article on phishing for more information. The first of the two ways of using XSS to read cookies and figure out who’s checking out your profile is to embed the JavaScript into your profile yourself, if you know how to do it (it isn’t difficult, and it can be done without the user knowing what hit them). According to the Wikipedia article “Criticism of Facebook,” a user embedded JavaScript into the Hometown field of their profile back in March of 2006, which easily could have been used to track profile views. However, Facebook fixed this problem, and JavaScript cannot be embedded in this way. That leaves the second way it can be done, which is by having an application do it for you by having embedded JavaScript in an application box on your profile. In July 2007, Adrienne Felt discovered a hole in Facebook security that allowed this. However, Facebook found out and the bug was fixed, meaning applications can no longer do this. Facebook Developer Principles and Policies (DPP)Considering that these methods do not work, I have a hard time believing that anything could since I don’t know of any other way to do it. However, I certainly don’t know everything, which brings me to my last point, Facebook’s Developer Principles and Policies. In Facebook’s Developer Principles and Policies (DPP), it specifically states that developers are not allowed to make applications that track profile views: “You must not track visits to a user’s profile, or estimate the number of such visits, whether aggregated anonymously or identified individually” (DPP II.5b). This means any applications that promise tracking profile views are in direct violation of Facebook’s policies. So what does that mean for such an application? A slap on the wrist? Not quite. According to DPP XII.6, Facebook reserves the right to remove applications that violate its policies. So basically, most of these applications and groups that promise you things like profile view trackers are really just spam that try to trick as many people as possible. However, as mentioned above, some people have succeeded in doing things that could track page views, but Facebook promptly fixed those bugs. Despite those fixes, there is still the potential of someone finding a new bug and exploiting it in a way that allows a profile tracker to work. However, as we’ve seen, Facebook has been good about fixing security holes like this quickly and reserves the right to remove applications that violate their policies. Considering the fact that the policies explicitly mention that profile trackers are not allowed, it wouldn’t surprise me if they had people monitoring applications and making sure none of them could do what they say they can. SummarySo, even if you find a profile tracker that doesn’t seem like spam and somehow gets around Facebook’s security and actually works, there is no way Facebook will allow it to stick around, so it really isn’t worth bothering at all, it’s a complete waste of time. In the future, if you see anything promising a profile tracker or something similar, ignore it, it either doesn’t work or won’t for much longer. |
|