

Clicking Facebook "Like" Buttons Gives Owner Permission To Spam You (w/ demo) - patio11
http://www.bingocardcreator.com/articles/facebook-like-button-spam

======
patio11
I mentioned this the other day in a comment, but I figured it gets a lot more
visceral punch if you actually see it happen, so I wrote up the consequences
in an article and wired together a working tech demo. I haven't seen anybody
exploit this misfeature "in the wild" yet, but then again I'm not exactly
plugged into the social networking scene.

It _astounds_ me that somebody thought making the Like button be silent opt-in
to "permission" marketing was a good idea.

Added bonus points (not covered in article): this creates a security hole in
every Liker's account, because it slaves the security of their News Feed to
the security of _every site they have ever liked_. Pretend you like something
published by Scrappy Startup A. Six months pass. Scrappy Startup goes out of
business and their URL gets grabbed, or Scrappy startup gets their server
owned, or Scrappy Startup merely permits defacement of the contents of their
HEAD. This lets the attacker immediately assert publishing privileges for all
connections created by Likes (6+ months ago), and then spam the connected
Facebook News feeds with live URLs carrying an endorsement from Scrappy
Startup.

Now pretend Scrappy Startup is, or purported to be, Obama. (Thumbnail sketch:
you and 10,000 other people favorite a picture of Obama hugging two puppies
titled "Obama Gives Constituents a Lift", six months later the Facebook login
crowd sees "Obama Gives Constituents a Lift: Click here and put in your bank
account details to receive your instant stimulus package".)

~~~
Sukotto
I'm a bit surprised that you published this to your bingo blog and not
Kalzumeus.com. Aren't you worried about your stereotypical user clicking it by
accident?

~~~
patio11
The only way in is via direct link to that URL. I put it there because I
happened to have Rails code written to do most of the work here (back from
when I implemented Like buttons for the site, prior to understanding what they
actually do), and because I'm positive Nginx can take the load (it is 100%
static content after the first access) but less than sanguine about my Apache
setup.

------
mrduncan
Maybe I'm missing something here, but this seems like much ado about nothing.
I mean, I get it, if I "like" something then that site now has the ability to
leave me messages. I just don't see this as much different than following
someone on Twitter - once I follow them, they have the ability to DM me all
they want (until I unfollow anyway).

 _Liking anything lets the owner spam you._

This just sounds like a scare-tactic to me. That's like saying "following
anyone lets the owner spam you", or "emailing anyone lets the owner spam you".

I guess the real point here is to only "like" things that you trust. Just as I
won't start following shady looking accounts on Twitter or handing out my
email address to every website I visit, I won't "like" shady looking websites.

~~~
CodeMage
I certainly wouldn't _expect_ that kind of side effect at all, but maybe it's
because I'm used to having a greater degree of control over who gets a claim
on a slice of my attention. For me "like" is not a binary concept -- either
you like it or you don't. I might like something enough to put it in my
bookmarks, but that doesn't necessarily mean I'll want to recommend it to all
of my friends or subscribe to its RSS feed. If signaling that I like something
will automatically imply "subscribing" to it, then I'd like to be informed
about it beforehand.

~~~
pbhjpbhj
>For me "like" is not a binary concept

We're not talking about like the English language word we're talking about
"like" the Facebook specific action indicating that you wish to be associated
with a particular page of content on that site.

~~~
CodeMage
See, this is why computer applications keep failing "average" users: "Stupid
users, why didn't they RTFM? Had they done that, they would have realized that
Facebook's definition of the word 'like' is drastically different from the
English language word they use every day."

------
char
I'm confused. Hasn't this _always_ been the case when you 'Like' (previously
'Become a Fan' of) something? Pages I became a Fan of well over a year ago
(maybe longer!) have been publishing updates to my stream ever since. (The
ones I don't want to get updates from have either been removed or blocked.)

The Page-to-User relationship is absolutely no different than the User-to-User
one. By becoming Friends with someone, I'm letting them publish as frequently
as they'd like to my stream. They can spam me if they want, and if I don't
like it, I can block/remove them.

Saying that 'Like' buttons give Page owners permission to spam you is grossly
misleading, and leaves out several important pieces of information that allow
one to understand what is actually going on.

~~~
nl
Yeah, it's always been the case. It's annoying when you don't realize it, but
it's the kind of mistake you make only once.

------
e1ven
I'm sorry to hear that this behavior was a surprise to you- Perhaps FB could
do a better job at making it clear what this does, but to me this was always
the expected (and desired!) behavior.

The Facebook "Like" button is akin to "Follow" on Twitter. It subscribes you
to their feed. That's the whole POINT of the like button. The "Tell your
friends" is ancillary; It's akin to twitter telling your feed "Colin is now
following .... CocaCola"

It's a VERY useful feature, and the name makes sense to me; If you Like
AntelopeFurniture.com, and they have a new sale running or something, you'd
want to hear about it. You already said you like them ;)

With that understanding in mind ("Facebook:like == Twitter:Follow"), it starts
to become clear that seeing their posts isn't spam- It's the entire point!

~~~
bad_user
> _The Facebook "Like" button is akin to "Follow" on Twitter_

It doesn't "sound" like it to me ... I thought that when I pressed "Like" I
simply got counted, nothing more.

And since when in English ... Like =~ Follow? Sure, maybe for maniacs.

~~~
pbhjpbhj
>And since when in English ... Like =~ Follow? Sure, maybe for maniacs.

If you're going to be pedantic about made up web-2.0 (3?) terms then why not
argue that "follow" on twitter doesn't let you actually follow the person only
receive occasional messages from them.

Why don't they call it "receive occasional messages from"? There's your
answer.

~~~
invisible
It is straight out ignorant to say follow doesn't imply you'll be interacting
in the future with that person/company. Like (in itself) is an action verb
that implies approval of the subject matter, not interaction. I like articles
on HN (by up voting) but that does not mean I want to receive regular updates
from the site due to a singular approval of one piece of content.

~~~
pbhjpbhj
>It is straight out ignorant to say follow doesn't imply you'll be interacting
in the future with that person/company.

Follow as a natural word is one-way relationship - you follow someone else,
they don't have to take any action. It's thus not interaction. Nor is it a
word that requires a continued future action; "following" would do that. I'm
not sure there's a good word for the type of relationship you're [wrongly IMO]
saying "follow" implies, perhaps "liaise" or "apprentice" is close?

~~~
Terretta
On the contrary, follow specifically does refer to a continuing future action.

"Follow that cab!" doesn't mean just for one block. You expect the driver will
follow that cab until you tell him to stop following it.

To agree with you, however, the cab being followed need not be aware of your
continued future action. They can speed up, slow down, stop, U-turn, do
whatever they would do if you weren't following them. To your point, "follow"
is not "interactive". It's active for you, passive for the one being followed.

It's therefore the perfect word for Twitter's button.

------
natrius
This really doesn't seem like a big deal. You can click the 'X' next to the
spam to end it forever. If a certain publisher is getting removed frequently,
Facebook could block them from posting to anyone's news feed. I doubt this
functionality will negatively affect many people unless Facebook fails to
police it properly.

------
pilif
Seing that there's this "Mark as Spam" functionality, I would guess that
Facebook would quickly revoke the spammers ability to add like buttons to
their page once enough people clicked that spam button (or even make any
further business with Facebook)

IMHO, not that big a deal. Then again, I don't use Facebook, so I can't really
know.

------
webwright
I clicked it and haven't gotten my note yet... By "spam", I think you're
saying they can put something into my news feed, right? If this opted me into
email communication or even facebook messages, I might be alarmed. Related: I
generally trust things that I "like" to behave in a polite way... And know
that if they don't they are going to quickly eat a social media backlash.

I can see some nice ways this could be used-- for example-- I "like" Bingo
Card Creator and you say, "Thanks Tony! I see you just bought your copy of BCC
a few days ago. Holler if I can help!"

I agree that this is an odd/dumb thing for FB to do, but I'm not sure it's
that scary.

~~~
tptacek
Kind of agree; also, I'm just not as possessive of my Facebook feed as I am of
my mail spool. I really don't feel like I own my feed. Also, Facebook acts
against its own interests if they allow random sites to pollute the feed.

~~~
pyre
I have to agree that it's against Facebook's own interests. If they let random
sites spam away, then pretty soon it will turn into MySpace, and competitors
will eat its lunch.

------
Wilfred
I would argue this already being taken advantage of (though 'exploited' seems
a bit strong). There are pages such as this one:
[http://www.facebook.com/pages/96-percent-of-people-cant-
figu...](http://www.facebook.com/pages/96-percent-of-people-cant-figure-out-
how-this-is-real/145455405484685) that require the user to 'like' it before
they can see whatever it is.

It would be interesting to see what sectors are targeting this new spam
avenue. Facebook's anti-spam approach is largely effective though -- as a
centralised service they have a lot of behaviour metrics to characterise
misbehaviour.

------
ErrantX
I think the problem is simply in the name of the button.

I ran this by some of my less technical friends who use Facebook and they said
some variation of " _yes, that's what it's for isn't it? It's just got a
confusing name_ "

Something like "Follow" would be more descriptive.

EDIT: the problem stems from Facebook trying to switch from being a "person-
to-person" social network to a Twitter-esque community network.

------
jcl
Wow... I wonder how far we are from having a marketplace for widely Liked
sites to sell their ability to post to their audience. (Unsavory startup
idea!)

~~~
patio11
Given that widely _linked_ sites are frequently bought after being abandoned
and used by spammers (for link equity and direct traffic), I don't think that
is far fetched at all.

A startup can reasonably achieve a metric truckload of likes (to the startup,
to content, whichever), fail to achieve revenue, and fold in an N month
period. The assets of a failed startup are worth close to nothing, and can
probably be acquired for close to it. (Who at a shuttered company is in charge
of re-registering the domain name, after all?)

All you have to do is one blaze-of-glory phishing scam, or something like
"Save Twitrliciously! Donate $5 to help keep us open!", etc. (Not a unique
risk, given that you could do that with just the web page, but it gets you
instant distribution to a highly targeted audience and that is 90% of the
battle.)

Facebook getting the memo and shutting down the site N hours later does not
necessarily help all that much.

------
Tichy
If users would actually understand it, it might actually make for interesting
behavior. It would raise the price of Likes.

------
rumpelstiltskin
Is the publishing of updates automatic? As in if a user 'likes' a blog page
and the blog publishes a new article, does that new page get pushed into the
user's news feed automatically? Or does the blog have to do something extra to
keep pushing updates?

------
geuis
I clicked the like button and I don't see any kind of notifications.

~~~
sstrudeau
If you have Facebook Mobile (iPhone or Android) check there -- I'm not seeing
it on the web but it took over my mobile news feed.

------
drivebyacct2
This was obvious during the conversion of random lists and groups into data-
ized Like graphs. They made it known this was possible. That's why I saw the
blip from Futurama when they post a clip from their new episode, etc...

It's intended, and for all intents and purposes, desired. If you don't want to
see the New Items from a band/artist/website, don't like it.

Not sure what was expected.

