Facebook Like Widget – Spammers Tool???

January 1, 2014
Pentests

Now a days, I get very curious to look at view-source of website where Facebook’s Like button is embedded. But why should I do this? Isn’t facebook Like button trusted? This is right.. Huh!!! The answer is NO. If there is a mismatch in the domain (you are visiting) and facebook’s Like button then there is surely a problem and it is a spam page.

How I concluded this?

Facebook’s Like widget can be integrated to any website and is free to use. More surprisingly it does not validate the host website.

How can it be used by Spammers?

Spammers use Like widget to make their fake page look-like very real and therefore inducing visitors to click on the Like button. The Like button can trigger any event of attacker’s choice and will run inside the user’s browser or may redirect the user to attacker’s website or may infect user’s system.

Root Cause Analysis

Facebook does not validate the host domain which is causing the issue. Validating the host domain with facebook (using API or XHR or hidden variable) may solve the problem.

Happy Reading!!!

Share this post
Wordpress Security
Malware Analysis
Tools & Techniques
Pentests
PTaaS
Cyber Security
Technology
Subscribe to our newsletter

Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!

Be a Team Player
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Latest blogs

Latest updates in cybersecurity services

View All
Blacklock Blog Image
Wordpress CMS Security
Managing Wordpress and Joomla Security
June 9, 2016
Wordpress CMS Security
Pentests
Data Validation Framework – HDIV at a Glance
July 12, 2013
Pentests
Tools & Techniques
Automating NMAP Capabilities
August 8, 2014
Tools & Techniques