Deceiving Users with the Facebook Like Button (opens in new tab)

(arnab.org)

92 pointsarnabdotorg15y ago18 comments

18 comments

Checking the referrer (errr, "referer") header seems obvious to me, I wonder why they're not doing it.

Sure, the referrer can be spoofed if you can set arbitrary headers, but you can't set headers on iframe requests anyway (and even XHR explicitly disallows setting Referer)

easyfrag15y ago

A related side-note: my organization blocks access to Facebook, the iframe with his like button was also blocked by the filter.

CoryMathews15y ago

does it end up blocking the entire page or just the iframe?

smharris6515y ago

Just the iFrame.

avdempsey15y ago

As the author points out, the easy fix is to let users know what they just liked, or ask them to confirm.

Also I suspect this service is fairly self-regulating. Facebook users are generally careful about what they broadcast. The author gives the captcha trick used by porn sites as an example...how many people are going to broadcast their taste in porn?

kelnos15y ago

> Facebook users are generally careful about what they broadcast.

Seriously? Maybe among your tech-savvy friends, but the majority of Facebook users have no idea what they're doing when they type something into the box and click "Share."

A few minutes over at http://failbook.com/ is enough to point that out, and those are just the egregiously bad / hilarious cases.

jeff1815y ago

I see this story come up a lot, but according to reCAPTCHA, it's an urban legend. There is not really any evidence that spammers actually do this at all, let alone do it on a meaningful scale.

hazzen15y ago

Unless my memory is playing tricks on me, I recall Luis Von Ahn mentioning this as an example of ways people had attempted to defeat his system at a talk of his several years ago. He may have been talking about theoretical attacks and not actual ones, but I'm on my phone now and can't effectively dig for a video if one exists.

zalew15y ago

"Facebook users are generally careful about what they broadcast."

there are already lots of spam websites and fb apps, that trick into being a fan... i mean, "like" pages using js. this iframe only makes it easier.

i can even imagine spam js links altering a legit iframe, hoping a user clicks it afterwards.

vinhboy15y ago

You have to click the button again to remove the "Like" relationship. --- Wow, talk about confusing as hell...

sorbus15y ago

If you notice it when you're still on the page, it's easy. However, as I understand it one would have to go to their facebook page to see this, and it seems unlikely that most users would be doing that (constantly watching their facebook page, not just the homepage feed). If someone is "liking" a lot of pages, then there's also the difficulty of figuring out which pages the spam is coming from - even if it would be possibly to determine through a process of elimination, users would have to remember every page they liked by the time they noticed the spam.

Not a big issue now, but if lots of pages start using this capability, it could become a problem, albeit of a very minor variety.

jmm15y ago

another similar issue i've come across is when there are multiple like buttons on the same page. e.g., does one like this blog/site or just the article?

not a terrible confusion or potentially too sinister, but a bit more attention than usual is required than the simple share.

TotlolRon15y ago

"The new button trades off this security for convenience."

Trend?

Qz15y ago

Not really a question. The trend has been going on for years now.

mikeknoop15y ago

I disagree. See: Airport Security.

1 more reply

j / k navigate · click thread line to collapse