Do you like cats? Do you hate cats? Whatever the case, I want you to click on the above picture. Once you do, I will explain why I am asking you to do this. (If my explanation doesn’t appear below on the first click, wait a bit and click again.)
* trick no longer works so content below is automatically revealed
Facebook offers a social plug-in for websites called “Like Button”. What this does, if you don’t already know, is that it creates a button on a website and that allows facebook users to “like” with just a click. This is great because the “like” registers as a post on their facebook profile, opening the opportunity for lots of referral traffic.
Using iframes for such applications is a good choice because in many modern browsers, security protocols are in place that prevent Cross-site Scripting (XSS), for example, without getting in the way of features pertaining to the iframed webpage (i.e. scripts from a webpage won’t know much about an iframe’s content if it comes from another website). In the case of the like button, this makes it much harder for websites to get users to like something without their consent.
An obvious solution is to have the like button iframe covertly follow the mouse. By doing this, when the users click, they click on the like button. The problem is that the site owner doesn’t get feedback on happens inside the iframe. This means he has to blindly remove the iframe or his users’ ability to interact with his site becomes limited. This exemplifies why using iframe is a good choice. What do you think is a better: having lots of likes but frustrated users or decent number of likes and satisfied users? The latter is probably better in the long run.
However, since the HTML5 and XFBML do not rely on just an iframe, they are more susceptible to malicious intents. Today I am going to present a way for someone to achieve lots of likes and still maintain satisfied users when using the HTML5 or XFBML method. I can get almost any Facebook user/visitor to like something with just a click anywhere on a page without the user being suspicious.
If you recall, I said that scripts from one website can know much about an iframe’s content if it comes from another website. However, if it comes from the same website, the scripts have much more power. I also said that the HTML5 and XFBML methods change the generated source for a webpage. This all means that you can detect changes! By detecting changes, you can dramatically improve your odds of removing a trailing iframe to still achieve your desired goals.
A working clean demo is available here. The way it is set up is that it first detects if the visitor is logged into facebook. It does this through a hack revealed here. If you are not logged in, it removes the trailing iframe. If it doesn’t do this, a Facebook sign in popup will show up upon click, which will undoubtedly make users suspicious. If you are logged in, the trailing iframe is left enabled and it points to the html page with the HTML5 like button. That iframe is set as 2px by 2px, with 0.01 opacity, so it’s definitely hard for a user to notice. At the same time, the script monitors for changes in iframed source every tenth of a second. I have found that the source changes more than two times when a user hits like.
When it arrives at that state, we can make the assumption that the user clicked like. The script then creates a cookie and removes the iframe. When the user refreshes with the cookie still present, the iframe is not shown. The removal allows the user to resume normal activities.
A flaw in this design is that we don’t know if a user removes the like directly from Facebook. If the user does that and the cookie is present, he will not be presented with the iframe again. Another flaw is that if the user removes the cookie while still having the liked state, he can no longer do click events on the webpage. Obviously the latter is what we mostly want to avoid. As far as I know, there is no way to figure out the true like status of a user. Maybe instead of creating just a standard browser cookie, it should create an evercookie?
Now imagine the potential. Let’s say that every user that “likes” a page brings in two referrals new to the page. That means by the nth level, where n starts with 1, there would have been 2^n – 1 new visitors. When n = 30, the number of visitors will be 1,073,741,823!
This trick works very well on Google Chrome. It sometimes works on Firefox and Internet Explorer.
The solution to this problem is to prevent the source generated by the HTML5 and XFBML methods outside the iframe from changing so much. This will render the trick futile. Site owners would then again find the trailing iframe not appealing given the drawback of no feedback. The Twitter follow button is an example of what I am talking about.