Checking the referrer (errr, "referer") header seems obvious to me, I wonder why they're not doing it.

Sure, the referrer can be spoofed if you can set arbitrary headers, but you can't set headers on iframe requests anyway (and even XHR explicitly disallows setting Referer)

A related side-note: my organization blocks access to Facebook, the iframe with his like button was also blocked by the filter.

does it end up blocking the entire page or just the iframe?

Just the iFrame.

As the author points out, the easy fix is to let users know what they just liked, or ask them to confirm.

Also I suspect this service is fairly self-regulating. Facebook users are generally careful about what they broadcast. The author gives the captcha trick used by porn sites as an example...how many people are going to broadcast their taste in porn?

> Facebook users are generally careful about what they broadcast.

Seriously? Maybe among your tech-savvy friends, but the majority of Facebook users have no idea what they're doing when they type something into the box and click "Share."

A few minutes over at http://failbook.com/ is enough to point that out, and those are just the egregiously bad / hilarious cases.

I see this story come up a lot, but according to reCAPTCHA, it's an urban legend. There is not really any evidence that spammers actually do this at all, let alone do it on a meaningful scale.

Unless my memory is playing tricks on me, I recall Luis Von Ahn mentioning this as an example of ways people had attempted to defeat his system at a talk of his several years ago. He may have been talking about theoretical attacks and not actual ones, but I'm on my phone now and can't effectively dig for a video if one exists.

"Facebook users are generally careful about what they broadcast."

there are already lots of spam websites and fb apps, that trick into being a fan... i mean, "like" pages using js. this iframe only makes it easier.

i can even imagine spam js links altering a legit iframe, hoping a user clicks it afterwards.

You have to click the button again to remove the "Like" relationship. --- Wow, talk about confusing as hell...

If you notice it when you're still on the page, it's easy. However, as I understand it one would have to go to their facebook page to see this, and it seems unlikely that most users would be doing that (constantly watching their facebook page, not just the homepage feed). If someone is "liking" a lot of pages, then there's also the difficulty of figuring out which pages the spam is coming from - even if it would be possibly to determine through a process of elimination, users would have to remember every page they liked by the time they noticed the spam.

Not a big issue now, but if lots of pages start using this capability, it could become a problem, albeit of a very minor variety.

another similar issue i've come across is when there are multiple like buttons on the same page. e.g., does one like this blog/site or just the article?

not a terrible confusion or potentially too sinister, but a bit more attention than usual is required than the simple share.

"The new button trades off this security for convenience."

Trend?

Not really a question. The trend has been going on for years now.

I disagree. See: Airport Security.

Yup, there you're trading off security for theater.

You're not actually 'trading off' security. You're trading convenience for a false sense of security.

And you deserve neither(?)