T/S Ad Slant (What is this?)
The T/S Ad Slant, similar to an advertorial in a magazine or newspaper, is a form of paid advertising. Each T/S Ad Slant is written, edited, and produced by the advertiser with tools like those used by True/Slant contributors. Please contact advertise@trueslant.com for more information.
 
Sponsor Message

Jun. 10 2010 — 6:19 pm | 700 views | 0 recommendations | 0 comments

Facebook says you Like Justin Bieber – but you don’t, really!! How to avoid clickjacking

NYC signing September 1,2009 Nintendo Store - NYC

Image via Wikipedia

I’m not a Facebook liker of Justin Bieber. I mean, I know he is some teen singer, formerly the most trending topic on Twitter, and OK, I found out he’s Canadian… but I don’t care. I’d never Like him on Facebook. But if I get ‘clickjacked’, all my Facebook friends will think I do. How embarassing!

But, let’s be honest, that’s kid’s stuff… this is the Internet, I could end up sending some terrible, REALLY embarrassing things to all my friends.

Did you click a Like link this week on someone’s web page? Does Facebook say you did, but you don’t remember? You may have been PRANKED! Many Facebook users are becoming victims of the latest social engineering prank, “clickjacking”. And it might get worse.

If it was something like this link on LikeThisThing, eg: http://www.likethisthing.com/getting-drunk/ (Hey- be careful on that page, OK? Click on NOTHING!) then – were you a victim?

The site has no privacy policy and was only set up about a week ago by someone shy enough to hide their identity in their domain registration records. Yet, by using Facebook’s social plugins to allow you to Like “sleep” or “sex” or  “money”, the site developer gets the ability to access your Facebook id and post on your wall. What are they up to? And would you willingly click that Like button? Did you? Seems highly unlikely people would rationally click on several of the phrases on the site… so what’s going on?

What exactly is “clickjacking“? Essentially, it’s a way for a website developer to get you to click on something you never intended to click on, by overlaying a transparent layer on what you thought you were clicking on (usually something a lot more innocent, such as “Click here to continue”).

Why bother? Because the Facebook “Like” button, and many other social plugins such as the voting buttons to the right of this post, are designed as iframes, little web windows from, say, Trueslant.com into Facebook.com or Reddit.com. When you click on the Facebook Share button, you’re interacting with Facebook.com and not True/Slant. If you’re logged in to Facebook, the Share button will generate a Facebook Share. And if someone engineered a page with what looks like a link to a video, or another page, but placed over that link a transparent iframe to Facebook’s Like button, then your action will generate a click to Facebook. Facebook assumes you intended to click “Like” and immediately registers the Like, which you might not be aware of. And Facebook has no way to know you didn’t take that action willingly.

The benefit to the culprits is getting their page exposed to your friends via your wall post; from there, your friends also help spread the attack as they follow the link to the offending website. Combine clickjacking with sketchy sites – such as the one above – and you have viral embarrassment! (And someone has a chuckle, or worse… they trigger a Paypal payment or an Amazon.com purchase)

Part of this problem is Facebook’s attempt to dominate the online world. Placing their Like button on other websites is a big part of it. And that Like button needs to behave, on those sites, just as it behaves on Facebook – by instantly updating, no fancy pop-up dialog to confirm the action. But that removes the one obstacle to clickjacking and is what makes this attack so easy.

If you’re browsing with Firefox and use the popular NoScript plugin, then you will usually be protected from these attempts. You’ll usually get warnings about such clickjacking attempts. (And a few false alarms, because the NoScript software is a bit sensitive). But users of other browsers, including  Internet Explorer and Safari, have (to my knowledge) no similar protection from these “social engineering” attacks. And the attacks might get more harmful than just egg on your face.

The social networking and plugin providing websites – such as Facebook, Digg, and Reddit – will likely need to make changes to how their plugins work. For example, the Facebook Share button always brings up a confirmation dialog, from which you can cancel. But the new Facebook Like button has no such dialog – maybe Facebook needs one? I think it does, even if it changes the user’s experience.

In the meantime, it may be worth putting on a tinfoil hat, and using a browser with some clickjacking protection, to avoid these exploits.



Jun. 7 2010 — 8:14 am | 443 views | 0 recommendations | 1 comment

Do Facebook-driven comments kill trolls?

Ever felt the need to chime in on a subject, only to digress after seeing that the comment thread had already devolved to name-calling and mud-slinging? Many civil and useful comments are probably not posted every day on sites where comments have become the armpit of the site.

I spent a bit of time looking for suitable comment quotes to illustrate this story… but ended up leaving the really illustrative once on the offending pages.

So, check out the comment threads on Yahoo! Buzz for live evidence that commenter anonymity (screen names and avatars) can create an atmosphere where valid debate and discussion of an issue is overwhelmed by shouting, name calling, and antisocial behavior. I’ve shown some of the tamer comments below:

continue »



May. 25 2010 — 7:34 am | 899 views | 0 recommendations | 3 comments

3 ways to keep Facebook Likes more private

What you just Liked on a website that is using Facebook’s new social plugins might be something you don’t want to tell your boss or neighbors about. But even though they aren’t your Facebook friends, Facebook says “you should consider the likes and recommendations you choose to make to be public information” – even if you have set your related privacy settings to just “Friends”. Whoops!

Facebook’s new Social Graph has enabled new “Like” buttons all over the web, prompting users to click Like on anything from a political blog post to a pair of jeans in the Levi’s store.

Even without doing anything, if you visit one of these Facebook-enabled pages while logged in to Facebook, it will display the names of your friends if they have clicked Like in the past.

In some cases, those Likes allow the site or page admins to post to your news stream. And likes will be visible to your friends, and perhaps the entire world.

Facebook says “If you decide you no longer like something, you can always remove the connection or ‘unlike’ the content on the original site. You’re always in control of the things you connect to or like.”

However, exactly what gets “erased” when you take an action to protect your privacy is still unclear… does the Levi.com site still have the ability to post to my profile? If I remove the like on Facebook, will it go away on Levi.com?

I tested this out recently, and here are my recommendations:

Page Like on Levi.com

Facebook profile after a Page like

There are supposedly multiple ways to “undo” these likes:

  1. Locate the Like on your Profile page (Wall tab) and remove it there (is this what Facebook implied by “remove the connection”? Maybe not…)
  2. Follow the link on the Like to the original page and dislike there (click Like again)
  3. Edit your profile Settings, choose Likes & Interests, and click “Show Other Pages”, then click “Remove Page”, close, and save changes.

However, I’ve discovered that the first option simply removes the Like from your Wall, and does not remove the Like from the Levi.com page or prohibit the page from posting to your wall in the future.

Using the third option is a good way to review which pages you’ve Liked, especially if they are a distant memory and far down your Profile page. Pages you’ve liked do not show up in your list of applications you’ve authorized, even though they are technically authorized applications (since the page admins can post to your news stream). So you’ll need to find them in your Profile | Edit Profile | Likes & Interests to manage them individually.

Facebook's Edit Profile Menu

The Likes & Interests tab with the “View Other Pages” popup.

And it’s still a good idea to revisit the original page (if it still exists) to ensure it has updated.

More Detail

Facebook shares some of the technical details of “what is shared with the third party site” in a blog post, but they do note these likes are going to be accessible to other websites and applications:

While these buttons and boxes appear on other websites, the content populating them comes directly from Facebook. The plugins were designed so that the website you are visiting receives none of this information. These plugins should be seen as an extension of Facebook.

But then…

When a like makes a connection in your profile, you can control who can see that in your Facebook profile by editing your “Friends, Tags and Connections” settings on your Privacy Settings page. Remember that even if you limit the visibility of a connection, it remains as public information and may appear in other places on Facebook.com or be accessed by applications and websites.

So, in other words, don’t rely on your Privacy settings to keep anything private. Everything’s still technically public. The website you visited receives nothing when you click Like, but can find out who you are later by simply querying the Facebook database. You’ll have to totally remove a Like to be sure it’s not accessible to someone you don’t want to see it. Or better, think twice before you click Like in the first place.



Mar. 8 2010 — 6:30 am | 8,611 views | 0 recommendations | 7 comments

There are more FarmVille players than Twitter users

Image representing Twitter as depicted in Crun... You think Twitter is important, right? I mean we hear about it all of the time. not only from our friends, but from the media as well. So how important is Twitter? Let’s take a look at the interest in Twitter compared to Facebook based on searches people do on Google, which is what the Google Trends graph shows below.

Google Trends_ facebook, twitter-1

One thing you notice immediately is that Facebook has a lot more searches than Twitter. But, look at the difference in news references! Twitter has seen long periods of time where it gets more media coverage than Facebook, which shows how out of touch the media is with what’s really interesting to the public. To give you some idea, MySpace is still more popular than Twitter, but good luck trying to find someone covering that.

Google Trends_ myspace, twitter

But, it’s not just searches on Twitter. If you look at their Compete.com numbers, you’ll see Facebook gets almost 6 times as many unique visitors and almost 20 times as many visits.

FarmVille > Twitter

If you haven’t started to rethink the power of Twitter, then here’s something that should get you thinking. FarmVille, an MMO game on Facebook, has more active users by itself than Twitter has members. Check it out:

FarmVille-info farmville-logo

Looking at FarmVille’s info box on their main app page, we can see they have over 83 million active users. Active, not total installs!

By contrast, RJ Metrics reports that Twitter had only 75 million cumulative users by January of 2010, as seen in the graph below.

twitter-cumulative-users

They also report that Twitter is adding less and less users every month, which is represented with the graph below:

twitter-new-users

That would make Twitter’s current user base today somewhere over 80 millions users, giving FarmVille the slight edge.

MMOs > Status Updates

The biggest take-away from this is not just that Facebook is bigger than Twitter, but that the interactivity made possible by the robust platform that is Facebook enables things like an MMO such as FarmVille to be bigger than Twitter. Now, don’t get me wrong, I love Twitter! We just need to keep it in perspective, so we don’t act like media sheep giving Twitter more attention than it deserves.

If you really want to have your mind blown, watch the video from Jesse Schelle who first tipped me off that FarmVille was bigger than Twitter. He goes onto share a vision of where the convergence of gaming, social, and mobile will take us.



Mar. 4 2010 — 3:40 pm | 757 views | 0 recommendations | 0 comments

Why Webtrends now measures Facebook [video]


About

webtrends
Webtrends is a customer intelligence company that turns data into understanding. Founders of the web analytics industry in 1993, we crunch the numbers our customers care about — on their web sites, blogs, SEM campaigns, you name it — to uncover business trends and competitive advantage. Our philosophy of Open Exchange guides the development of our technology and the way we run our business. We believe in the free flow of data among systems, transparency with our customers and collective problem solving with our partners. We succeed when our customers and partners do first.

See our profile »

Our Contributors

Robin CangieRobin Cangie
Followers: 28
Contributor Since: December 2009
Location:Portland, OR

Our Activity Feed