Why can't Pluso be used and why does it insert an IFRAME

The hero of today's story will be the well-known service for quick configuration and integration of social buttons for cross-posting into social networks Pluso. The motivation for writing this article was a situation that we encountered once in our projects.

The service quickly gained popularity due to its simple, not requiring deep knowledge, procedure for setting up and integrating buttons on any website. Beautiful modern button design attracted the audience to the service. The service quickly gained popularity and the plugin began to sell like hotcakes.

PRINCIPLE OF OPERATION AND INSTALLATION ON THE PLUSO SITE

To install on the site, we are offered to integrate the JS code into the page and insert HTML markup where you need it, for example: 

<script type="text/javascript">(function() {
  if (window.pluso)if (typeof window.pluso.start == "function") return;
  if (window.ifpluso==undefined) { window.ifpluso = 1;
    var d = document, s = d.createElement('script'), g = 'getElementsByTagName';
    s.type = 'text/javascript'; s.charset='UTF-8'; s.async = true;
    s.src = ('https:' == window.location.protocol ? 'https' : 'http')  + '://share.pluso.ru/pluso-like.js';
    var h=d[g]('body')[0];
    h.appendChild(s);
  }})();</script>
<div class="pluso" data-background="#ebebeb" data-options="big,square,line,horizontal,counter,theme=04" data-services="vkontakte,odnoklassniki,facebook,twitter,google,moimir,email,print"></div>

It is clear from the JS script that its task is to connect third-party JS via links to the Pluso service, which is what happens when the page is loaded. Next, the identified script executes the code provided by the developer, namely:

1. Initializes social buttons
2. Conducts repost counting
3. And whatever the developer wants

If you have already guessed what danger we are talking about, you are a good guy! For those who have not realized the full extent of the risk, I will explain.

The fact is that the script that you connect to your project is physically located on the Pluso service and you do not own or control the code and logic of the code that runs on your site, because Only the developer has physical access to the script! To put it simply, you voluntarily integrate code into your website, which is easily adjusted by the developer and performs the functions that the developer wants to implement.

We seem to have dealt with the threat of introducing any code onto your website . But threats are threats, and facts are a completely different matter.

Time passed, Pluso’s audience grew, and there were more user sites. At one point, the developers of the service finally decided to take advantage of the opportunity to make money from their users and, probably, leak information about visitors to your sites to third parties. Developers implement scripts into their JS code to collect information and solve other problems known only to them. Instantly all users of the service turn into cash cows, deceived by the service developers.

PLUSO INSERTS IFRAME INTO THE PAGE LAYOUT, HOW TO FIX?

NO WAY! You need to completely stop using the Pluso service and switch to using time-tested and safe scripts for integrating social buttons, for example: share42.

In some cases, when connecting the Pluso plugin, the iframe is dynamically loaded into the page code markup. This happens after some time.

Unknown unnecessary code and content are dynamically loaded:

CONCLUSIONS

Let's summarize this article with our recommendations for the future:

1. Immediately stop using the Pluso service unless you want to be voluntarily deceived.
2. Beware of third-party scripts that are hosted on third-party services - you have no control over their content.

Thank you all for your attention! Be careful! We hope that the article was useful to you.