
“Like” at Your Own Risk - vinceleo
https://in.bgu.ac.il/en/pages/news/Chameleon-Attack.aspx
======
soylentcola
I seem to remember doing some prank-ish thing like this in the early days of
Facebook.

Create an activity or whatever that you "liked" (ex: camping) and friends
would see that "soylentcola liked _camping_ ". They would also like _camping_
and then eventually you would change the name of that tag/activity/whatever to
something like _getting kicked in the nuts_ so that now it tells people that
"John Smith likes _getting kicked in the nuts_ ".

I honestly don't remember the specifics as it's been years since we got our
laughs out of this for a few minutes (hell, for all I know this was on MySpace
and not Facebook. Really don't remember).

~~~
EGreg
Right! This can be done by changing the name of a page people like. Not just a
post.

Seems like you can get really good amount of likes for a popular thing (like
calls for impeaching Trump in 2017) before changing it to some thing you want
to promote (like Tom Steyer for President) ... and you can even qualify for
the Debate stage!

~~~
soylentcola
I haven't been on Facebook in a couple of years now, but I recall similar
issues. People/groups would create pages for popular things (again, like
"camping" or "sleeping in on the weekends") so that thousands and thousands of
people would "like" that thing.

Then once those pages had enough followers, they could be sold off to whatever
marketing group wanted access to lots of user data and an outlet to post
sponsored content to a lot of viewers.

It wasn't just this bait-and-switch, though. Loads of "meme" pages and similar
stuff built up a large enough following and then were either sold or just
directly used for marketing.

I think it was bigger when companies/individuals could use Facebook to drive
clicks to their sites but I have no idea if that's still a thing these days.
Last I saw, most users/posts tended to stay within the Facebook "umbrella"
rather than being linked to outside sites.

------
kerkeslager
There's a lot of major challenges to creating decentralized, trustless
systems, but this is very easy to solve in a trustless system. All you do is
indicate "Like"s by signing an object like:

    
    
        {post:"<cryptographic hash of post>",action:"like"}
    

That way if the post changes, your signed "like" no longer applies.

This trustless-ness can be introduced in centralized systems too, but the
tendency in a centralized system is to trust the central authority, which is
the whole problem with such systems.

~~~
close04
This doesn't work if you're just linking to some dynamic content. People will
like the link and the link itself is static but the content provided by
clicking it can change without notice.

~~~
kerkeslager
Responding to this post, since it looks like you edited it (to clarify) and I
responded to my misunderstanding based on what your post previously said:

That comes down to making sure you like what you actually intend to like: you
probably don't intend to like the literal bytes of the URL, you probably
intend to like the content at the URL. UIs can aid in this[1] but ultimately I
don't think people think that specifically, and there's not a perfect
technical solution to that problem.

[1] WARNING: You're about to "Like" a URL. The content at the URL may change.
Do you wish to continue? Y/N

------
blakesterz
I had to go read the actual paper to figure out how it worked. It's "updating
link previews without visible notifications while retaining social capital".
So you do a redirect and then that changes what was originally liked.

------
sundvor
I have thought about this before, even without the clever hack indicated here:

Likes ought to drop off after an edit, or be clearly pointing to the previous
version after any edit. IE they need to reflect staleness, and posts must
better reflect that there's version history. In this day and age we ought to
be able to differentiate between grammar/spell checks and complete rewrites,
and update ux accordingly.

Another one is the ability for someone to change privacy level of a post from
private to public. So that risky like that you thought was a safe one among
friends could then be opened for everyone to see.

~~~
Brave-Steak
> Another one is the ability for someone to change privacy level of a post
> from private to public. So that risky like that you thought was a safe one
> among friends could then be opened for everyone to see.

This seems like a difficult problem in general and reminds me of this episode
of Hidden Brain ([https://www.npr.org/2019/09/06/758281834/you-cant-hit-
unsend...](https://www.npr.org/2019/09/06/758281834/you-cant-hit-unsend-how-a-
social-media-scandal-unfolded-at-harvard)). Where sharing
shocking/"inappropriate" memes in a private WhatsApp led to everybody involved
losing their spots in university.

~~~
beerandt
Why difficult? Just put the same permissions on the "like" as the parent
object being liked, and leave those permissions alone if the parent object
updates.

~~~
buran77
Likes could be counted on "what" they were given to. Liking a private post
would only count when the post stays private while liking a public post would
be counted/displayed either way.

~~~
sundvor
Yep. But the more responsible option (for FB engineers) would be to never
allow opening up the privacy level - users should only be allowed to restrict
it!

If they really want to share same content with the whole world, then that
should be a completely new post.

------
neonate
[https://arxiv.org/abs/2001.05668](https://arxiv.org/abs/2001.05668)

------
DavidVoid
You seed this kind of thing used by spammers on reddit from time to time.
They'll get an upvoted comment which is very visible to other users and then
edit it to include a link to some shady website.

------
goatinaboat
Ironically, sharing this link alone could constitute a risk in some situations

------
sebastianconcpt
Scary o.O

But is it the author editing the post who change it or what?

~~~
DarkWiiPlayer
Simple example:

\- You upload an image of a cute cat to your webserver

\- You post the link to the image on some social network (using a throwaway
account)

\- You send the link to the post to a friend, who likes the post

\- You switch out the image on the server for a photo of hitler (url stays the
same)

\- You wait a day for all the caches involved to update

\- You act disgusted and ask your friend wtf they were thinking when they
liked that image

~~~
Robin_Message
\- Your friend says it was a cat video that they liked and they've no idea how
that happened

\- Everyone shrugs, says "computers eh?" and moves on with their lives

This attack would only work for gaslighting or repeated targeting I think, and
even then, I don't think it would be that convincing.

~~~
pixl97
Heh, what niece planet are you from

You forgot the step of

-take an image of the transgression and post it to Twitter

-50000 other people see you liked hitler.

-your next job sees this image on the internet, so actually no, you dont get that job.

