Home “Likejacking” Takes Off on Facebook

“Likejacking” Takes Off on Facebook

Security researchers are warning of the newest Facebook threat, something they’re calling “likejacking,” a Facebook-enabled clickjacking attack that tricks users into clicking links that mark the clicked site as one of your Facebook “likes.” These likes then show up on your profile and, of course, in your Facebook News Feed where your friends can see the link and click it, allowing the vicious, viral cycle to continue.

According to security firm Sophos, hundreds of thousands of users have already fallen for this new “likejacking” trick thanks to the clever and tantalizing linkbait the spammers use to entice people to click their links. For example:

“LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.”

“This man takes a picture of himself EVERYDAY for 8 YEARS!!”

“The Prom Dress That Got This Girl Suspended From School.”

After clicking through on a link, victims don’t get to see the promised content, but rather a blank page reading “click here to continue.” This page contains the clickjacking worm (Troj/Iframe-ET) embedded via an invisible link. Click anywhere on the page and the message is posted to your profile and News Feed, allowing the worm to further its spread.

This particular exploit is made possible by way of Facebook’s new like button and its associated developer code. According to the like button documentation, the buttons can be customized with meta data that includes things like the title of the Web page, the name of the website and the URL of a picture for the page. By customizing these fields, spammers and hackers can easily create links that are, in fact, malicious “likes.”

Told You So

The popularity of this particular attack vector is not surprising. Soon after the launch of the Facebook like button, we reported on its potential as a threat, noting how incredibly easy it is to create like buttons that link to anything on the Web – even pages you have never visited.

It was only a matter of time before spammers and hackers started exploiting this weakness for their own purposes. (Frankly, we’re surprised it took this long.)

The problem has to do with the overly simple way Facebook has implemented the “like button” feature. Non-developers can plug a URL into a wizard that generates code that can be copied and pasted anywhere on the Web. Like buttons created this way or manually, via handwritten code, will function properly even if they point to a webpage that’s on a different domain from the page where the button is being hosted.

Kyle Bragger, a Web entrepreneur who just launched Forrst, an online community for developers and designers, warned Facebook users of “like fraud” back in April by way of a personal blog post. To circumvent potential likejacking attempts such as these, he created a Facebook “like” bookmarklet that safely “likes” the page you’re on, allowing you to feel secure that you’re actually liking the real thing and not some shady linkbait. (Or likebait, if you will).

If you’ve been hit with this likejacking attack, the best you can do is remove the like from your profile and delete the post from your News Feed. You might want to apologize to your friends with a Facebook status update, too.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.