Facebook Vulnerability: Like Clickjacking
The Facebook Open Graph Like Button is susceptible to a type of attack known as clickjacking. Basically, if the like button is embedded on the page you’re on, made completely transparent, then an attacker could trick you into Liking something without your discretion.
How the attack works:
1. User navigates to your page, like button is embedded invisibly
3. User clicks what they believe is a link on the page and “Likes” the attacker’s content instead.
4. User doesn’t see any notification of Liking the content, which results in a News Feed story.
5. News Feed contains mention of attacker’s content, which allows it to grow virally.
Twitter ran into a very similar attack last february with the propagation of a “Don’t Click” button. The main difference is that Twitter was able to block the hole by disabling iFrame embeds (basically if (window.top !== window.self), then Twitter is nefariously being iFrame embedded). Since the Like Button itself is an iFrame, Facebook can’t employ the same logic to detect clickjacking.
Advanced users would notice the change in cursor since the mouse is always located above a link and can’t be overridden since it’s in an iFrame. However, during the casual flow of browsing this would hardly go noticed.