Ingenious Hack by Facebook Spammers: Smoking Hot Bartenders

It's clickjacking. That was 2008. This is clickjacking with a like button. I wrote about it in early June ( <a href="http://www.h-i-r.net/2010/06/viral-like-jacking-on-facebook.html" rel="nofollow">http://www.h-i-r.net/2010/06/viral-like-jacking-on-facebook....</a> ) and it was already somewhat old-hat by then. In fact, I think I covered the same technical details this person did.<p>It's not really ingenious. It's just scammy behavior and yet another fine reason to run NoScript.

tangentially related: I do not know if people have figured this out yet: liking something gives them permission to write to your status feed. I think after that gets widely understood people will be less promiscuous with the thumbs up, because it will be associated with being spammed to heck.<p>I have done this to myself, incidentally, because I did not believe the doc tha said it was possible.<p><i>If you include Open Graph tags on your Web page, your page becomes equivalent to a Facebook page. This means when a user clicks a Like button on your page, a connection is made between your page and the user. Your page will appear in the "Likes and Interests" section of the user's profile, and you have the ability to publish updates to the user. Your page will show up in same places that Facebook pages show up around the site (e.g. search), and you can target ads to people who like your content.</i>

Ever since a facebook widget showed the names of a bunch of people I know on the right-hand side of an unrelated website I've stopped going there. I logged out of facebook and I haven't logged in since then. I'd much prefer it if they stayed within their 'boundaries of expected online territory', and to see them popping up on sites that I normally visit but that I do not associate with facebook at all was enough to push me over the edge.<p>I'm sure that plenty of people couldn't care less, but I think it's a creepy thing.

Clickjacking (the name of this exploit) is one reason many sites have frame-busting JavaScript.<p>Of course the whole point of the Facebook "Like" button is to be embedded on other websites, so frame busting is out of the question. I'm not sure if there's a quick fix for this. Browsers need to disallow clicking of transparent iframes.

I got p0wned earlier today by the same sort of chat-bot/spam exploit I've been seeing from some of my friends.<p>As a Chrome user on Linux, and a pretty much lifelong user of Linux on the desktop, I am rather unaccustomed to being the victim of such exploits, so I didn't immediately know what to do. This one appears to be purely browser/JS-based and/or perhaps exploits some weakness in the Facebook API.<p>It started when a (presumably "infected") friend of mine posted on my wall. It looked to be just text, but presumably contained a trigger for this exploit. Anyway, within seconds, somehow, unbeknownst to me, I was apparently initiating chat conversations with every friend who was online "asking," "Do you have a second?" When they would reply "yes?", I would blast them with some bullshit quiz/test site link, which I can only assume is a phishing farm.<p>Anyway, this continued relentlessly so long as I was logged into the site (and possibly when I wasn't, never definitively established that) until it occurred to me to change my Facebook account password, after which it - knock on wood - seems to have stopped.<p>Does anyone have any idea how this exploit works? It caught me rather off-guard because I expected that sort of thing to be the work of viruses and/or malware on Windows. I would guess that my password was somehow phished out, after which some foreign agent logged into the Facebook messenger as me externally (quite possible to do, numerous IM clients now support the Facebook messenger protocol) and went nuts, but I can't be sure.

We've seen this kind of scammy stuff before, where people overlay a transparent div on top of another div. This is the first time that I've seen them attach to the cursor and follow it around.<p>Other than keeping your browser logged out of facebook at all times, what's the protection against this?

It's because of crap like this that I only browse sites like Facebook from a secondary browser, Chrome in my case. On Firefox, I'm not even logged in to Facebook, to minimize the amount they can learn about me with their Like stuff.

The question I have is how do these guys plan to make money off this scam? There doesn't seem to be any ads on this page or any affiliate pages.

This has been a known vulnerability since at least July 13. Interactive demos: <a href="http://erickerr.com/like-clickjacking" rel="nofollow">http://erickerr.com/like-clickjacking</a><p>This would appear to be (among?) the first malicious use of the like-jacking vulnerability.

A few of these have been floating around for at least the past couple months. One of my friends clicked through and ended up "liking" some picture of a stupid tattoo, and earned an educational lecture from me as his reward.

I actually clicked on the page, following my girlfriend Facebook.<p>But I was protected due to the ever useful Adblock extension. Probably the best plugin out there, the easiest method to fire and forget about annoying web elements.

I avoid this by keeping my core apps in Chrome/Chromium and by browsing everything else with Firefox+NoScript+ABP.

And the slippery slope begins...