Original article: https://www.malwarebytes.com/blog/news/2025/08/adult-sites-t...

The linked article just regurtitates the source.

I'm curious how you can click the like button using JavaScript…

I think some people on the SVG design committee were aiming to replace Flash for things like browser games, and wanted animations and javascript and so on to support that role.

That lead to the weird situation where browsers have two ways of embedding an SVG into a web page - embed in an <img> tag and the javascript won't run, but embed it in an <iframe> and it will (but of course iframe height can't auto-size...)

The javascript also means pretty much no user-generated-content sites allow the upload of SVGs. Wikipedia is the only place I can think of - and even they serve the SVG as a PNG almost everywhere.

Finally, a reason why porn in incognito mode is actually a safety mechanism.

“The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.”

Well there's your problem right there.

> Facebook regularly shuts down accounts that engage in these sorts of abuse.

But does not fix the CSRF vulnerability, apparently.

> The Scalable Vector Graphics format is an open standard for rendering two-dimensional graphics.

It would be nice if we had one of those, but SVG is not it, at least not unless you’re willing to gloss HTML as “an open format for rendering reflowable text”. SVG is a full platform for web applications with fixed-layout graphics and rich animations, essentially Flash with worse development tools.

There have been some attempts to define a subset of SVG that represents a picture, like SVG Tiny, but that feels about as likely to succeed as defining JSON by cutting things out of JavaScript. (I mean, it kind of worked for making EPUB from HTML+CSS...) Meanwhile, other vector graphics formats are either ancient and not very common (CGM, EPS, WMF/EMF) or exotic and very not common (HVIF, IconVG, TinyVG).

(My personal benchmark for an actual vector format would be: does it allow the renderer to avoid knowing the peculiarities of Arabic, Burmese, Devanagari, or Mongolian?)

SVG really is just an awful format. What the market wanted was a clean, easily parseable specification for vector image data based on a solid rendering specification. What it got was an extensible HTML-like scripting language where all the vector stuff was ad hoc and poorly implemented, and where (this is the bit that absolutely drives me up the wall) the actual image data is not stored in the metadata format they chose. You have to parse this entirely different string format if you want to extract the points on your curve or whatever!

I remember opening one svg that totally wrecked my computer, I had to cold reboot; nothing worked, the system hanged down to the kernel. It was impressive. Never happened again with any other kind of file.

This makes no sense. How does SVG click Facebook like button? Is there a vulnerability? The post doesn't say anything like that.

Why are they clicking like buttons instead of stealing money from bank accounts then?

All the more reason to block all JS by default with add-ons like NoScript or uBO and manage a whitelist.

It's a bit annoying the first few days, but then the usual sites you frequent will all be whitelisted and all that's left are random sites you come across infrequently.

Where is the SVG?