Thursday, March 10, 2011

A bookmarklet to uncover Facebook Likejacking

Spammers love to use hidden Facebook "Like" buttons to spread their spam quickly, a technique called Likejacking. Recently, I was forwarded a few German Likejacking pages:
  • hxxp:// (live)
  • hxxp:// (down)
  • hxxp:// (down)
Spam page with hidden Facebook "Like" button

The spam pages contain a lot of ads (of course!), a video and an hidden iframe. The hidden iframe contains the Facebook "Like" button. It follows the mouse as the user hovers over the video to click on the Play button. The user's click triggers both the Facebook "Like" widget and starts the video. The spam page then appears in the user's Facebook news feed, spreading the spam to more people.

Source code of the hidden iframe

To hide the iframe, it is reduced to 2x2 pixels and has a black background (same as the video background).

Bookmarklet to uncover hidden iframes

A simple way to uncover the hidden iframe is to make the parent iframe bigger. I removed the "width: 2px" and "height: 2px" attributes for the "hidden" iframe, and the "Like" button became apparent.

The Facebook "Like" widget uncovered. Notice the black background.

All browsers allow users to run Javascript in the context of the page through a bookmarklet. I've transformed the JavaScript I used in the example above into a bookmarklet. Drag and drop the link below to your bookmarks. This will create a new bookmark "Uncover Facebook Likejacking 1.0(Zscaler)". If you browse to a suspicious page and suspect an hidden "Like" widget, click on this bookmark to uncover any potential Likejacking.

Uncover Facebook Likejacking (Zscaler)

You can find the original JavaScript here.

Here is short video of how it works.

Same origin policy

Because the Javascript from the bookmarklet is running in the context of the page, it is subjected to the Same origin policy. This means the JavaScript cannot access frames or iframes loaded from a domain different from the main page. The script shows a warning if a page contains frames. You can load each frame in a different tab and run the bookmarklet on each of them.

Warnings on pages using frames

If you're ever victim of Likejacking, you can always remove the spam from your news feed and mark it as spam. But Facebook does seem pretty slow at reacting to Likejacking, as this web page is still being shown in users news feeds after several days of spamming people.

-- Julien

    1 comment:

    Elias said...

    Hi. Would you mind to update the Bookmark as it seems not to work any more. Cheers.