I decided to delve a bit into the hacking underworld yesterday, wanting to learn more about how Facebook users could be signed up for pages they didn’t like. It turns out that a Google search for “facebook clickjacking” returns a lot of results.
I downloaded one clickjacking kit from a site called zarabyte.com and took a look. It includes this line in a file called like.js:
var thehairs = “< iframe id='theiframe' scrolling='no' frameBorder='0' allowTransparency='true' src='http://www.facebook.com/widgets/like.php?href=" + encodeURIComponent(fan_page_url) + "&layout=standard&show_faces=true&width=53&action=like&colorscheme=light&height=80' style='position:absolute;width:53px;height:23px;overflow:hidden;border:0;opacity:" + opacity +";filter:alpha(opacity=" + opacity * 100+ ");' >< /iframe >“;
Basically, it sneaks in an iframe on the page and kicks off the like.php script to “like” the desired page. There doesn’t appear to be anything magic about what this does. If the user is logged into Facebook (in another browser window, for instance), this script should register a like. Futhermore, that like should be logged in the Activity Log as any other like would be.
Based on this behavior, I’m pretty confident that these mysterious Romney Facebook likes aren’t being generated through clickjacking.