Like-jacking: Malicious use of the “like” button on Facebook, in which users are duped into clicking on an image that appears to have been “liked” by a friend. Also spelled likejacking. A variant of clickjacking, which was coined in 2008 to describe a way of tricking Web users into revealing confidential information. Both like-jacking and clickjacking are derived from hijacking, which entered American English in 1922, possibly from high(way) + “jacking” (holding someone up).
I first saw like-jacking in a recent “Week in Words,” Erin McKean’s column for the Wall Street Journal, but the word has been around for a couple of years. Corey Ballou, a web developer in North Carolina who blogs at JQueryin, claims to have coined like-jacking in April 2010, after Facebook’s f8 developer conference:
In the comments section of How to “Like” Anything on the Web (Safely), I coined the term like-jacking; seeing a strong correlation between malicious usage of the button and clickjacking. … Little did I know that my term would be on the forefront of a media frenzy, where a plethora of articles would be posted in a matter of minutes regarding the subject.
The problem has to do with the overly simple way Facebook has implemented the “like button” feature. Non-developers can plug a URL into a wizard that generates code that can be copied and pasted anywhere on the Web. Like buttons created this way or manually, via handwritten code, will function properly even if they point to a webpage that’s on a different domain from the page where the button is being hosted.
Facebook responded to the problem by adding a “Confirm” step to “liking.” Nevertheless, in September 2011 security company Symantec found that 15 percent of Facebook videos were like-jacking attacks.