URLs redirect to spyware site

Question

We are developing an app that makes posts on behalf of our users to Facebook. Within those posts, we want to put links to external (non-Facebook) websites.

Looking at the links in the status bar of the browser (usually Chrome), the correct URL is displayed. However, Facebook seems to wrap the actually-clicked link into some extra bells-and-whistles. Usually, this works correctly.

Sometimes, however, this URL wrapping ends up sending the click to a URL like:

http: //spywaresite.info/0/go.php?sid=2

(added space to make it non-browsable!) which generates Chromes severe warning message:

This happens very occasionally on Chrome, but very much more often in the iOS browser on the iPhone.

Does anyone have any pointers as to how to deal with this?

---

EDIT

For example, the URLs we put in the link is

http://www.example.com/some/full/path/somewhere

but the URL that actually gets clicked is:

http://platform.ak.fbcdn.net/www/app_full_proxy.php?app=374274329267054&v=1&size=z&cksum=fc1c17ed464a92bc53caae79e5413481&src=http%3A%2F%2Fwww.example.com%2Fsome%2Ffull%2Fpath%2Fsomewhere

There seems to be some JavaScript goodness in the page that unscrambles that and usually redirects correctly.

EDIT2

The links above are put on the image and the blue text to the right of the image in the screenshot below.

Mousing over the links (or the image) in the browser shows the correct link. Right-clicking on the link and selecting "Copy Link Address" gets the fbcdn.net link above (or one like it). Actually clicking on the link seems to set off some JavaScript processing of the fbcdn.net link into the right one... but sometimes that processing fails.

Answer 1

I'm not 100% sure what you're asking here, but i'll tell you what I know:- are you referring to this screen on Facebook?

(or rather, the variation of that screen which doesn't allow clickthrough?)

• If you manually send a user to facebook.com/l.php?u=something they'll always see that message - it's a measure to prevent an open redirector
  • if your users are submitting such links, including the l.php link, you'll need to extract the destination URL (in the 'u' parameter)
  • If you're seeing the l.php URLs come back from the API this is probably a bug.

If links clicked on facebook.com end up on the screen it's because facebook have detected the link as suspicious (e.g. for URL redirector sites - the screen will allow clickthrough but warn the user first) or malicious/spammy (will not allow clickthrough)

In your app you won't be able to post links to the latter (an error will come back saying the URL is blocked), and the former may throw a captcha sometimes (if you're using the Feed dialog, this should be transparent to the app code, the user will enter the captcha and the dialog will return as normal)

If this isn't exactly what you were asking about please clarify and i'll update my answer