"Likejacking" Takes Off on Facebook. The Facebook Like button is vulnerable to Clickjacking, and is being widely exploited. Since Likes show up in your Facebook stream, it’s an easy attack to make viral. The button is implemented on third party sites as an iframe, which would seem to me to be exploitable by design (just make the iframe transparent in the parent document and trick the user in to clicking in the right place). I can’t think of any way they could support the embedded Like button without being vulnerable to clickjacking, since clickjacking prevention relies on not allowing your UI elements to be embedded in a hostile site while the Like button’s functionality depends on exactly that.
Sign in with 
OpenID
Should I click the Like button at the end of that article?
Paul Morriss - 3rd June 2010 10:41 - #
Don't click this one unless you know what you're doing.
I don't, but it looks and smells very funky.
http://credittreport.info/the-best-passport-applic ation-rejection-in-history.html
Mark Swannie - 3rd June 2010 10:48 - #
Ahh, it appears to have been taken down or b0rked (when accessed in "Private Browsing").
Mark Swannie - 3rd June 2010 10:54 - #
Has anyone found a list of 'like's, so you can quickly 'unlike' something you accidentally 'liked'? I haven't. Which means the problem spreads.
I'd be more worried about clickjacking if people weren't so prepared to 'like' or paste javascript code into the address bar anyway, just to see "THE MOST AMAZING JOKE EVAR! [HILARIOUS!]".
Sometimes I despair at humanity.
Jim Stobbs - 3rd June 2010 12:15 - #
Simon,
It could be made to avoid clickjacking by having the request include a signature - shared secret + referrer - which would be validated before service. Or do you need to defend against Hostile containing Host containing Facebook?
Jeremy Dunck - 3rd June 2010 20:22 - #
tazorac - 25th September 2011 17:34 - #
shop pharmacy - 25th September 2011 17:36 - #