Likejacking: Facebook takes (insufficient) measures?

Facebook has put into place controls to limit the Like button. This is to help fight against likejacking, although Sophos believes the step is insufficient.

Clickjacking now has a Facebook equivalent with their Like button. First seen in 2010, likejacking consists of attracting Facebook users with the promise of a video they can watch. This video could either be amusing or a little cheeky.

On the supposed video site, the user clicks without seeing the hidden Like button, as this is represented by a screen which looks a lot YouTube. If the user is connected to their Facebook account, the content is displayed on their wall and the virus will be displayed to their friends.

The technique obviously has the goal of stealing a user’s personal information or performing other malicious acts. To counter likejacking, Facebook has put into place a double verification system. The system is supposed to detect dubious Like models and request confirmation from the user about the impacted pages (a popup will appear).

This protection measure was deployed two weeks ago according to Sophos. The British software editor congratulates Facebook on the initiative they have shown but previously requested that they validate the technique used, even if the detection details have not been divulged. This request was made because Sophos believes that the detection algorithm only works in "rare cases".

Perhaps all that is needed is more time, but Sophos prefers a more radical approach believing that the verification pop-up should be displayed in all cases, each time the user wants to state that they Like a page. This is surely a concession that Facebook users would prefer to do without.