As the tech and investment banking worlds eagerly anticipate Facebook’s long-awaited initial public offering, the world’s largest social network is trying to put stops to a suspicious, but arguably benign, plugin.

According to a Brian Krebs report, Dru Mundorff of Arizona is shamelessly selling the “LilyJade” browser plugin on for $1000 a pop. Krebs notes that Hackerforums is often scorned by the more elite hackers out there because of the forums appeal to script kiddies (read: it’s too mainstream).

LilyJade is spreading, as is typical on Facebook, by posting links to a video on users’ walls. When ‘Friends’ click the link, they are prompted to install a plugin in order to watch the video. That plugin is LilyJade, which then posts the same link on that users wall, and the process repeats itself.

What LilyJade actually does, according to Krebs, is allow its owner to replace legitimate, paid ads on sites like Facebook, Google, Youtube, or almost any other website with his or her own ads.

Krebs wrote that Mundorff used ‘Crossrider,’ a popular Javascript framework that expedites and simplifies the plugin building process, to build LilyJade.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff told Krebs in a phone interview. “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff doesn’t appear to think he is doing anything illegal. In fact, he even had his lawyer sign off on his terms of service.

Needless to say, Facebook isn’t pleased with the emergence of a plugin that overrides paid advertisements, their main revenue stream, particularly at a time when they are trying to get as generous a valuation as possible for the IPO. They recently sent Mundorff a cease-and-desist.

“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” Fred Wolens, public policy manager at Facebook, told Krebs in a statement. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls.”

In a later interview, Mundorff told Krebs that he has no intention of complying with Facebook’s request.

“I pretty much told them to go [expletive] themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff told Krebs. “So they can go to hell.”

You can find Brian Krebs’s excellent piece of reporting here.


Categories: Uncategorized

Comments (7)

  1. CodeCompiler

    Actually who is to decide whats on there computers? Users. This is there right.. Noone can tell a user they cant adblock so why can’t they adinject? simply put this system is here to users choice. Facebook and Crossrider all state that they don’t want SPAM.. Great well the user decides if its spam by CHOOSING to have our system installed and then CHOOSING to allow us to post on there walls and so forth.

    So explain to me how exactly its spam if the user agree’s to have the system installed and this system is a plugin they can remove. Unlike other systems that are out that hide and steal information. My system does no collect any personal information. So Phishing is not included.

    Moral of the story is we don’t SPAM anyones walls cause we have permission.. We replace the ads cause users approve and agree to have our system installed. My system allows ANYONE to be able to work from home and make money.. So simply put the users choose to have us installed we are allowed to market.

    And we will not bow down to the largest company in the world cause they feel that they should control what users have on there systems. Next thing you are going to be told is that you can’t use windows 7 with this system cause facebook doesn’t want you to use it. Now you have the choice.

Comments are closed.