Use and abuse of the Facebook "Like"-code
A while ago I noticed that a lot of my Facebook friends "liked" a page called "This Man Took A Photo Of Himself Everyday For 15 Years In A Row, Look at the Results!", or something similar. Curious as to what that was about, I clicked on the link. It transferred me to a page that, in addition to embedding the (rather cool) video "Living My Life Faster" by JK Keller (don't worry, harmless link), added itself to my "liked" pages without my approval...
Then this week I saw the same thing happen again, this time with a page called "O.M.F.G.! You Won't Believe What I Saw At WalMart Today.." or "The Guy With The Biggest Pecker On Earth" (both at craziestattoos.blogspot.com, possibly unsafe link), and another one called "What Mary-Kate Olsen Looks Like As E.T.! LMAO" (funny-celeb-pics.blogspot.com, also possibly unsafe - thanks Folkert for testing that one ;).
It turns out that the new "Like" mechanism that Facebook introduced recently allows not only Facebook content but also external pages to have a "Like" button. For example, I added one to the bottom of this page using the fb_like module for Drupal (still in development, but does kind of work).
Of course any link can lead to a site with malicious content, so there's no reason to become overly paranoid. And I would expect that Facebook will employ some kind of blacklist or automatic security scanning eventually. But the fact that this is needed is a bit lame. Also, it would take a while for sites to be added to a blacklist, leaving plenty of opportunity for them to go "viral".
So I guess the bottom line is: if you see that a lot of your Facebook-friends suddenly "Like" a page, be weary before you click on it. It's always a good idea to check where the link leads first! Your browser will tell you when you hover your mouse over it, usually in the bottom left corner. If you're not sure it's safe, just copy the link and then log out of Facebook before visiting it. Malicious pages will usually ask you to click on something to continue (thus activating the Like-button). If you're not logged in to Facebook, you'll see a login-window pop up, and you'll know that it's a malicious page (or at least one that tries to do something behind your back).
If you forgot to log out and don't trust it after having visited a page, check if it has added itself to your "liked" pages afterwards. You can see and edit all your "liked" pages by clicking "Edit my profile" in the top-left Facebook menu, then "Likes and interests" and then "Show other pages" at the bottom of the page, just above "Save changes".
Here's a list of the clickjacking sites I came across so far:
- This Man Took A Photo Of Himself Everyday For 15 Years In A Row, Look at the Results! (mediasconnect.com)
- O.M.F.G.! You Won't Believe What I Saw At WalMart Today.. (craziestattoos.blogspot.com)
- The Guy With The Biggest Pecker On Earth (craziestattoos.blogspot.com)
- What Mary-Kate Olsen Looks Like As E.T.! LMAO (funny-celeb-pics.blogspot.com)
- 15 Worst Construction Mistakes EVER MADE! (construction-mistakes.info)
- Finally: The Dislike Button is Here! (www.dislike-btn.info)
- ██████████████► I Will NEVER TEXT Again After Seeing THIS VIDEO!! ◄██████████████ (smsstop.info)
- █████████► OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! ◄█████████ (mcdshockingmeals.tk)
A month or so after writing this article (now just over a year ago) I stopped tracking these clickjacking posts - it was becoming too much work as they kept popping up more regularly in my Facebook Newsfeed. Now it's gotten so bad that I come across clickjacking scams almost on a daily basis. Apparently most people still don't realise that these links are fake and can spread virally among your Facebook friends if you click on them. What worries me more though is that contrary to my expectation a year ago, Facebook seems unable or unwilling to do something about the problem. The excellent Sophos Naked Security blog has some particularly nasty examples of Facebook click-jacking scams. Apparently there's even a separate term for it now: Like-jacking...