As the tech and investment banking worlds eagerly anticipate Facebook’s long-awaited initial public offering, the world’s largest social network is trying to put stops to a suspicious, but arguably benign, plugin.

According to a Brian Krebs report, Dru Mundorff of Arizona is shamelessly selling the “LilyJade” browser plugin on for $1000 a pop. Krebs notes that Hackerforums is often scorned by the more elite hackers out there because of the forums appeal to script kiddies (read: it’s too mainstream).

LilyJade is spreading, as is typical on Facebook, by posting links to a video on users’ walls. When ‘Friends’ click the link, they are prompted to install a plugin in order to watch the video. That plugin is LilyJade, which then posts the same link on that users wall, and the process repeats itself.

What LilyJade actually does, according to Krebs, is allow its owner to replace legitimate, paid ads on sites like Facebook, Google, Youtube, or almost any other website with his or her own ads.

Krebs wrote that Mundorff used ‘Crossrider,’ a popular Javascript framework that expedites and simplifies the plugin building process, to build LilyJade.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff told Krebs in a phone interview. “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff doesn’t appear to think he is doing anything illegal. In fact, he even had his lawyer sign off on his terms of service.

Needless to say, Facebook isn’t pleased with the emergence of a plugin that overrides paid advertisements, their main revenue stream, particularly at a time when they are trying to get as generous a valuation as possible for the IPO. They recently sent Mundorff a cease-and-desist.

“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” Fred Wolens, public policy manager at Facebook, told Krebs in a statement. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls.”

In a later interview, Mundorff told Krebs that he has no intention of complying with Facebook’s request.

“I pretty much told them to go [expletive] themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff told Krebs. “So they can go to hell.”

You can find Brian Krebs’s excellent piece of reporting here.


Categories: Social Engineering

Comments (7)

  1. CodeCompiler

    Actually who is to decide whats on there computers? Users. This is there right.. Noone can tell a user they cant adblock so why can’t they adinject? simply put this system is here to users choice. Facebook and Crossrider all state that they don’t want SPAM.. Great well the user decides if its spam by CHOOSING to have our system installed and then CHOOSING to allow us to post on there walls and so forth.

    So explain to me how exactly its spam if the user agree’s to have the system installed and this system is a plugin they can remove. Unlike other systems that are out that hide and steal information. My system does no collect any personal information. So Phishing is not included.

    Moral of the story is we don’t SPAM anyones walls cause we have permission.. We replace the ads cause users approve and agree to have our system installed. My system allows ANYONE to be able to work from home and make money.. So simply put the users choose to have us installed we are allowed to market.

    And we will not bow down to the largest company in the world cause they feel that they should control what users have on there systems. Next thing you are going to be told is that you can’t use windows 7 with this system cause facebook doesn’t want you to use it. Now you have the choice.

  2. Sean

    You’re logic is flawed. 

    There is a huge difference between hiding the ads on the page and replacing them with illegitimate ads in a way that deceives the end user.

    Sure, Facebook would love to have you see each and every ad that they choose to target you with. However, I am sure Facebook does not want to be associated with the garbage that this plugin would replace the ads on the page with. People who decide to click on the ads will assume that facebook decided to serve them with malware ads (or whatever the case may be) when the real culprit is some jerk in Arizona who decides that as long as he flashes a link to a ToS, his activity is legal and perfectly acceptable. I hope that Facebook flexes their legal muscle and puts this guy out of business. 

  3. Anonymous

    This is wrong in the same way that open-source apps from Sourceforge increasingly bundle toolbars and other 3rd party software with the installer.  As a consumer, the product scope should be limited to a simple exchange.  I would not call this a bait-and-switch or deceptive, but the word ‘untruthy’ comes to mind.


  4. Anonymous

    When you sell this product on hacking forums, you sell them in turn to people who command botnets. And you have done so as well. So hardly the user accepting is it sir?

  5. Anonymous

    I see nothing wrong with this as anyone on the internet should know “Read the ToS”. If you do not like it uninstall it! This is the same for Toolbars or any other plug-in’s.

Comments are closed.