Popular forum mod quietly adds cloaking to unsuspecting sites, earns 1.7 million backlinks over 2 months

16 comments

PHP coder Ophir Prusak of the New York PHP user group installed a mod that promised to convert his standard Invision Power Board URLs to "search engine friendly" ones. It appears to do a nice job of adding post titles/keywords to the URLs. Unfortunately, he also discovered it added user-agent cloaking to insert backlinks on his pages, as revealed by his manual inspection of the Google cache.

Ophir got more than he expected, but was astute enough to catch the trojan code during development. Buyer beware, right? This was a free mod, and sometimes you have to wonder what webmasters expect when they incorporate code snippets into their sites without carefully reading through every line.

In this case, however, things appear to be a bit more nefarious. The code inserted user-agent cloaking of search engines spiders, as a means of inserting 13 backlinks to every page of his blood pressure monitor website. User agent cloaking is against the terms of service of major search engines, and can lead to penalization as well as outright banning from the search engine results pages.

I took a look at the FURL modification from IPB fan board Invisionize.com. The newest beta 3.1 was posted December 1, 2005 by user "Kim", member #591, apparently from Manchester, UK. Sure enough, buried at the end of the php code is a section that matches the incoming user agent string against IPB's "search engine bots" class, cloaking the site for known search engine spiders, and inserting 13 backlinks for the author's Manchester, UK website using various music industry anchor text. This SEO tactic seems to have worked well for him in Google.

A search of Google for the unique string "SEO Powered by FURL" reveals 1.79 million pages in Google indexed with that cloaked content. A search for "SEO Powered by FURL" plus unique text from one of the inserted links shows over 534,000 successfully inserted, cloaked, backlinks in Google. That's 1.79 million pages at risk of banning from the search engines due to the cloaking added by FURL. Not exactly the outcome expected by webmasters who added the FURL rewrite modification in hopes of making their sites more "search engine friendly".

Out of fairness to Kim, the php code includes a comment at the bottom of the file, preceeding the cloaking code. It says:

Quote:
// Tracking Code / Copyright String - DO NOT REMOVE
// -----------------------------------------------=
// !!Please leave this code in, if you dont then please remove the mod from your site!!
// !!You are only free to use this mod while the following line is in!!
// I went to alot of time making this mod and would like a little
// in return so i can continue to spend time upgrading it,
// instead of charging for this mod ive put some link code in
// this just links back to my site using my keywords to improve
// my rating on Search Engines, the links only appears to search
// bots though so its not on every page.
//
// Its also because i like seeing my mods in use on other peoples sites!

It seems Mr. Kim has provided full disclosure. He acknowledges the cloaking and the backlinks, and suggests that if you don't like it you not use his mod.

I personally would not have mentioned this here had it not been exposed first elswhere as allegedly misleading, unscrupulous, or deceptive. But now that it has been so alleged (or, in fact demonstrated), and appears capable of taking advantage of scores (millions?) of unsuspecting webmasters who are actually trying to improve their search engine positions, I point out the following:

  1. SEO is best left to professionals.
  2. There is a doc file distributed with this mod. It makes no mention of the cloaking nor the 13 backlinks.
  3. Mr. Kim does demonstrate the use of the "Powered by FURL" as a tracking code in that doc, by offering a link to a Google search as evidence of the installed user base (as many open source projects do). What is quite different here is the use of user agent cloaking, and the lack of up-front awareness of that and the backlinks in the documentation (because his notes were present only as comments at the end of his php code).
  4. This mod is distributed as a means of increasing search engine friendliness, while violating one of the most serious Google Webmaster Guidelines and thus adding significant risk of ban or penalty to websites using it.

One cannot assume that Mr. Kim was aware of the significant risk associated with the user-agent cloaking used in his mod which he recommended to Invision Board users as a way to

Quote:
...allow search engines to index your site a lot more than with the standard URLs.

One can safely assume, however that if he was not aware of this danger, he had no business advising others on Search Engine Optimization. In my opinion, he should now reaffirm his intent to contribute to the IPB community by tracking down those 1.7 million webmasters before they suffer the consequences of his inadequate SEO skillz.

Comments

Damn it

I used that mod and installed it on many IPB's.

I never thought of this, or never thought developers of mods, would really pursue this kind of actions.

IPB sure as hell doesn't

IPB sure as hell doesn't have 1.7 million customers!

I've used this mod in the past.

I thought everyone removed

I thought everyone removed footprints? Its just standard practice, why let others know what you're using? If you're not auditing the code for the contribution/modification, the onus of responsibility is on you.

He's commented his code, and could've inserted any old shit in there, submitting a billion HTTP requests to competitors websites or anything. You didn't check, your fault. Its absolutely Caveat Emptor.

End of the day, he's spent time writing the modification, and has every right to assert requirements for use -- many open-source applications do this very thing, including other fora software.

(FWIW, 'You' in this instance implies the generic forum administraor, rather than anyone in this thread specifically :p)

76 sites, 1.7mil pages

what John Andrews and notready said

Taking advantage of peoples

Taking advantage of peoples trust and placing their sites in danger of getting banned is a shitty thing to do.

Thats just my opinion.

really?

wibblewobble: I agree he has a right to set the terms. But install cloaking under the guise of seo? And move the disclosure to code comments? I wonder what you think from this...do you get the impression he is ignorant of the risks of cloaking, or simply taking advantage of market inefficiencies (e.g. user ignorance)?

Cloaking now removed from this mod.

I was unaware of the affects on cloaking that I added in this mod. This code has now been removed from the latest version. Im very sorry that this has caused any trouble for anyone.

If you have an older version just reupload FURL.php to your server from the v3.2 zip.

http://mods.invisionize.com/db/index.php/f/5850

On a related note

On a related note I was just installing some Wordpress themes for a client and due to this thread I made an extra effort to look through the templates for odd stuff.

A single link crediting an author seems OK with me, but a lot of them actually had attribution in the footer so it would have been shown as links on all pages. All in the open though, not cloaked.

Fixed the cloaking bit!?!?

What do you mean? I can't blame Kim for wanting a couple of links in return. So..... are these (random?) links going to be public and visible to human visitors from now on then?

Dunno

Edited my previous comment as I don't know exactly what Kim has fixed. His comment sounds like he has removed that whole part of the code, but I agree it's open to interpretation, and I haven't personally compared the old code to the new.

Neither have I...

...because I'm a crappy coder. I was just asking.....

Either way I still think that KIM can do whatever he/she likes in that code. esp. will the "disclaimer" in real harm was done eh? (just asking - again)

looks fixed

If you get the mod and take a look, he has removed the cloaking code, and removed the backlinks. The version update has not been annotated (no revision notes) but this version does not have the disclosure in the comments nor any mention of license or usage requirements. Just free code.

Given that it appears to work and has advanced the state of the art of re-writing for Invision Power Board (there has been some subsequent discussion of minor tweaks and situatonal considerations on the mod boards...) his contribution is good for IPB users seeking more friendly URLs and a re-write infrasructure.

:)

Thanks for your comments John. Yes i have now removed all backlinks and everything so this is now 100% free to use with no limitations or anything added to your pages other than the rewritten urls.

Thanks for bringing the problems with useragent cloaking to my attention. I was unaware of the issues with it.

Is 2.0 version fixed?

Do you have this fixed for IPB 2.0.x yet?

So the ole "trust me I won't

So the ole "trust me I won't screw you again, really!" nice.. best of luck with that

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.