Use and abuse of the Facebook "Like"-code

by levien on do 07 juli 2011 // Posted in misc // under

A while ago I noticed that a lot of my Facebook friends "liked" a page called "This Man Took A Photo Of Himself Everyday For 15 Years In A Row, Look at the Results!", or something similar. Curious as to what that was about, I clicked on the link. It transferred me to a page that, in addition to embedding the (rather cool) video "Living My Life Faster" by JK Keller (don't worry, harmless link), added itself to my "liked" pages without my approval...

Then this week I saw the same thing happen again, this time with a page called "O.M.F.G.! You Won't Believe What I Saw At WalMart Today.." or "The Guy With The Biggest Pecker On Earth" (both at craziestattoos.blogspot.com, possibly unsafe link), and another one called "What Mary-Kate Olsen Looks Like As E.T.! LMAO" (funny-celeb-pics.blogspot.com, also possibly unsafe - thanks Folkert for testing that one ;).

It turns out that the new "Like" mechanism that Facebook introduced recently allows not only Facebook content but also external pages to have a "Like" button. For example, I added one to the bottom of my Drupal site using the [fb_like module for Drupal][].

While this is nice, it seems that this feature can quite easily be abused. It's not hard to hide the Like-button (which is loaded from the Facebook site in an iframe) by putting an opaque HTML-element over it. Various Javascript-tricks can then be used to let your browser "click" on the hidden Like-button without your (explicit) approval. This technique has been termed "clickjacking". Usually you won't notice this until you check your own Newsfeed. The first two sites that I saw doing this seemed harmless enough, but the one at craziestattoos.blogspot.com employed a large amount of Javascript-code with an unknown purpose. (Update: Eldar Marcussen went through the trouble of figuring out what it does. Apparently the site author was trying to make some money by presenting you with surveys. So in this case it wasn't too serious, but...) It's not hard to imagine sites with all kinds of malicious content employing this trick to spread themselves through your social network.

Of course any link can lead to a site with malicious content, so there's no reason to become overly paranoid. And I would expect that Facebook will employ some kind of blacklist or automatic security scanning eventually. But the fact that this is needed is a bit lame. Also, it would take a while for sites to be added to a blacklist, leaving plenty of opportunity for them to go "viral".

So I guess the bottom line is: if you see that a lot of your Facebook-friends suddenly "Like" a page, be weary before you click on it. It's always a good idea to check where the link leads first! Your browser will tell you when you hover your mouse over it, usually in the bottom left corner. If you're not sure it's safe, just copy the link and then log out of Facebook before visiting it. Malicious pages will usually ask you to click on something to continue (thus activating the Like-button). If you're not logged in to Facebook, you'll see a login-window pop up, and you'll know that it's a malicious page (or at least one that tries to do something behind your back).

If you forgot to log out and don't trust it after having visited a page, check if it has added itself to your "liked" pages afterwards. You can see and edit all your "liked" pages by clicking "Edit my profile" in the top-left Facebook menu, then "Likes and interests" and then "Show other pages" at the bottom of the page, just above "Save changes".

Here's a list of the clickjacking sites I came across so far:

  • This Man Took A Photo Of Himself Everyday For 15 Years In A Row, Look at the Results! (mediasconnect.com)
  • O.M.F.G.! You Won't Believe What I Saw At WalMart Today.. (craziestattoos.blogspot.com)
  • The Guy With The Biggest Pecker On Earth (craziestattoos.blogspot.com)
  • What Mary-Kate Olsen Looks Like As E.T.! LMAO (funny-celeb-pics.blogspot.com)
  • 15 Worst Construction Mistakes EVER MADE! (construction-mistakes.info)
  • Finally: The Dislike Button is Here! (www.dislike-btn.info)
  • ██████████████► I Will NEVER TEXT Again After Seeing THIS VIDEO!! ◄██████████████ (smsstop.info)
  • █████████► OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! ◄█████████ (mcdshockingmeals.tk)

UPDATE (2011-07-08):

A month or so after writing this article (now just over a year ago) I stopped tracking these clickjacking posts - it was becoming too much work as they kept popping up more regularly in my Facebook Newsfeed. Now it's gotten so bad that I come across clickjacking scams almost on a daily basis. Apparently most people still don't realise that these links are fake and can spread virally among your Facebook friends if you click on them. What worries me more though is that contrary to my expectation a year ago, Facebook seems unable or unwilling to do something about the problem. The excellent Sophos Naked Security blog has some particularly nasty examples of Facebook click-jacking scams. Apparently there's even a separate term for it now: Like-jacking...