

Deceiving Users with the Facebook Like Button - arnabdotorg
http://arnab.org/blog/deceiving-users-facebook-button

======
tlrobinson
Checking the referrer (errr, "referer") header seems obvious to me, I wonder
why they're not doing it.

Sure, the referrer can be spoofed _if_ you can set arbitrary headers, but you
can't set headers on iframe requests anyway (and even XHR explicitly disallows
setting Referer)

------
easyfrag
A related side-note: my organization blocks access to Facebook, the iframe
with his like button was also blocked by the filter.

~~~
CoryMathews
does it end up blocking the entire page or just the iframe?

~~~
smharris65
Just the iFrame.

------
avdempsey
As the author points out, the easy fix is to let users know what they just
liked, or ask them to confirm.

Also I suspect this service is fairly self-regulating. Facebook users are
generally careful about what they broadcast. The author gives the captcha
trick used by porn sites as an example...how many people are going to
broadcast their taste in porn?

~~~
jeff18
I see this story come up a lot, but according to reCAPTCHA, it's an urban
legend. There is not really any evidence that spammers actually do this at
all, let alone do it on a meaningful scale.

~~~
hazzen
Unless my memory is playing tricks on me, I recall Luis Von Ahn mentioning
this as an example of ways people had attempted to defeat his system at a talk
of his several years ago. He may have been talking about theoretical attacks
and not actual ones, but I'm on my phone now and can't effectively dig for a
video if one exists.

------
vinhboy
You have to click the button again to remove the "Like" relationship. --- Wow,
talk about confusing as hell...

~~~
sorbus
If you notice it when you're still on the page, it's easy. However, as I
understand it one would have to go to their facebook page to see this, and it
seems unlikely that most users would be doing that (constantly watching their
facebook page, not just the homepage feed). If someone is "liking" a lot of
pages, then there's also the difficulty of figuring out which pages the spam
is coming from - even if it would be possibly to determine through a process
of elimination, users would have to remember every page they liked by the time
they noticed the spam.

Not a big issue now, but if lots of pages start using this capability, it
could become a problem, albeit of a very minor variety.

------
jmm
another similar issue i've come across is when there are multiple like buttons
on the same page. e.g., does one like this blog/site or just the article?

not a terrible confusion or potentially too sinister, but a bit more attention
than usual is required than the simple share.

------
TotlolRon
"The new button trades off this security for convenience."

Trend?

~~~
Qz
Not really a question. The trend has been going on for years now.

~~~
mikeknoop
I disagree. See: Airport Security.

~~~
ddslkadhs
Yup, there you're trading off security for theater.

~~~
pyre
You're not actually 'trading off' security. You're trading convenience for a
false sense of security.

~~~
iamdave
And you deserve neither(?)

