Facebook is the biggest social network, and in spite of the controversy caused by the (lack of) privacy of information, it doesn’t stop growing. One of the easiest actions it enables is to say that you “like” something. Whe we are logged in this social network, just by clicking the corresponding icon you Express that you like a friend’s picture, a comment, an application…and you can also say that you like something without being in Facebook page. Many websites have added this feature, in such a way that you can say that you like something just with a click as long as you’re logged in Facebook. The best way to understand this is with an example; I’ve been playing for more than a year an online rol game about vampires called Blood Wars, which has nothing to do with Facebook. However, the option to say that you like it in Facebook has been added recently to the main site of the game:

Blood Wars

When clicking this link, your Facebook page is automatically updated, indicating that you like Blood Wars:

Bloodwars Facebook  Luis Corrons

That’s good, it’s easy for Facebook users, it’s great for the companies as people may talk about them or their products easily… Then, where is the problem? Well, we’re talking about websites, and with some simple javascript code, we can “corrupt” the original use that was given to this functionality. Imagine that I add to the PandaLabs blog an icon so that you can say that you like PandaLabs. You’ll think that you Facebook account will be updated with the information that you like Pandalabs. But, what if I’ve changed the code to “to know that he is dummy”? In Facebook, you’ll see the following text: “Luis likes to know that he is dummy”. Well, this is not so serious, it’s just a joke. We could make it more interesting, I could add a link promising that if you click on it, you’ll participate in the draw of an iPad, but instead THE TEXT I WANT will be displayed in Facebook 🙂

But let’s put ourselves in a cybercrook’s place, who is looking for money. They may want to win money by making you visit for example a website which contains advertisements. Or even worse, which distributes malware and we get infected by rogueware, Trojans, etc. For the moment we’ve not seen any case of malware distribution, but it’s just a matter of time. In the last weeks we’ve seen many cases which use baits like “101 Hottest Women in the World”, “Farmville” or “Sex & the City 2”, promising us to access the content about the topic of the site, to watch a video, etc. and the only thing that happens is that it is being distributed by appearing in Facebook and making all the friends that follow the link fall into the trap.
My advice: be distrustful, don’t trust anything and disable javascript in your browsers 😉