Yesterday, Facebook launched a new widget called the “Facebook Like Button,” which, simply put, brings the Facebook like button to the entire Internet. Website owners can implement the new button on their site using a small bit of code. In fact, you don’t even have to be a developer to make your own like button – there’s a little wizard that generates the code for you. Then it’s as easy as copy-and-paste to get the button onto your site.

However, there’s a small problem with this new, easy-to-use new tool: it’s possible to trick users into liking anything – even pages they’ve never visited!

“Likes” – A New Tool for Spammers?

As Arnab Nandi, a PhD candidate in Computer Science at the University of Michigan, recently discovered, it’s simple to create a like button for a page you’re not even on.

Using the wizard provided by Facebook, you can create a button for any URL you want and embed it on your site.

Why would anyone want to do this, you ask? While no self-respecting webmaster would want to deceive a visitor to their site, says Nandi, an “enterprising spammer” certainly would. By tricking site visitors into “liking” something by mistake, spammers could immediately place their links into that person’s News Feed, a feed seen by all of that person’s friends. And since an average Facebook user has 130 friends, even tricking a handful of people into doing this gives the spammer access to hundreds, potentially thousands, more people.

Nandi already coined a word for this new hack: “News Feed Spam.”

And yes, it will exist.

How the Button Works

Creating your own evil like button is incredibly simple, as we’ve demonstrated below. Nandi uses the “safe for work” example of “liking” the Britney Spears site in the example on his blog, but we know that our readers don’t want that affiliation in their News Feed for even an instant, so we created a much safer example for you to try by using our own Twitter account as the “like” target. (Really, we promise!).

Although you can remove the “like” from your News Feed after clicking, when you “like” something on Facebook, the affiliation is now attached to the Open Graph API. That means that your “like” data is associated with your profile, even if you remove it from showing in your News Feed.

In any event, all we did was fill in the necessary info into Facebook’s wizard and we got code for the button below:

(NYT readers, visit

the original site

for the demo).

If you click that button, you’ll see that you just “liked” ReadWriteWeb’s Twitter account, not this post or this website.

So the question now is this: did Facebook make the “like” button too simple? Should the button display more info about the target of the like so you know what you’re getting into? Will this problem become so widespread that people begin to fear “liking” things across the net? What do you think?

Image credit for original post: Zazzle