I recently started using Facebook and Buzz along with Twitter as public publishing tools. Facebook still sells itself as being for your friends and people you know, which is still completely false. Everything you post on Facebook is public-regardless of your privacy settings, and permanent-regardless of whether you delete it from your wall, but that's besides the point.

The issue I'm writing about today is one where Facebook allows any website to post to your wall as you without your consent (ie: identity theft), as long as you're signed into Facebook. Most people are permanently signed in even when all Facebook tabs and windows are closed by means of a session cookie your browser saves for weeks. Today in my newsfeed there was a link to a video of the tsunami in Japan.

When you click on the link you get taken to a fake youtube page, and are told to verify your age to watch the video. Clicking on the "Verify my age" link takes you to an annoying ad for a malware toolbar, while secretly using your Facebook account to post the link to your own wall and like it. Clicking anywhere else takes you to other sites that infect your computer with viruses and malware.

This malware spreading site happens to be using a live analytics service called amung.us and if you look at the ping response you can see that there are constantly around 10,000 people on the site over the five minutes I kept hitting refresh.

The fake youtube site isn't hacking Facebook or your account, it's simply taking advantage of a gaping security hole in Facebook's API. Any website can embed a hidden Like button, and if you happen to be logged into Facebook on that computer that website can post anything to your wall.

How does it work?

A website loads a hidden Like button on their page, which is just an iframe calling http://www.facebook.com/plugins/like.php with some GET variables. The website uses Javascript to trigger the click action of the Like button posting anything they feel like to your profile without your consent or knowledge. Your friends see the link, trust you, click on it and begin spreading it themselves.

How can Facebook easily prevent it?

Liking a 3rd party webpage should popup a little box that asks for your pin number. Your pin number should be set in your Facebook account settings and be a 4 digit number separate from your password that you're prompted to change every month. This way posting content is a conscious effort on your part, and 3rd parties can't use hidden Like buttons to post to your wall.