Sunday, January 1, 2012

Facebook Like Widget – Spammers Tool???

Now a days, I get very curious to look at view-source of website where Facebook’s Like button is embedded. But why should I do this? Isn’t facebook Like button trusted? This is right.. Huh!!! The answer is NO. If there is a mismatch in the domain (you are visiting) and facebook’s Like button then there is surely a problem and it is a spam page.

How I concluded this?

Facebook’s Like widget can be integrated to any website and is free to use. More surprisingly it does not validate the host website.

How can it be used by Spammers?

Spammers use Like widget to make their fake page look-like very real and therefore inducing visitors to click on the Like button. The Like button can trigger any event of attacker’s choice and will run inside the user’s browser or may redirect the user to attacker’s website or may infect user’s system.

Root Cause Analysis

Facebook does not validate the host domain which is causing the issue. Validating the host domain with facebook (using API or XHR or hidden variable) may solve the problem.

Happy Reading!!!