At times we become judgmental towards a site just by seeing number of likes in the “Like” button. Well, do you know that, the number displayed in that like button can be *genuinely* hacked? No, we’re not talking about displaying a fake number or maybe adding fake likes; we’re talking about fiddling with that number so that Facebook would think that people have actually clicked that “Like” button. It’s just simple XSS trick which indirectly gets Likes.
Apart from it, this trick is also a bit complicated, since you have to use different browsers for different purposes. Download and install Firefox and Chrome.
Before we even begin doing this, let us warn you, that doing so is a bad practice and it might get your website penalized by Google Panda, so in return you’ll have poor site reputation. The irony shouldn't go unnoticed. This trick doesn't increase the number of likes on a Facebook page or your status or a pic you've uploaded; this trick will only work on those small blue colored “Like” buttons that you see on random websites. Take a look at this pic of how that button should look like this:
Let’s begin then, open up your website or any web page which has such a button (as shown in image) using Mozilla Firefox. Now there are two ways to know the URL of that “Like” button. Either you can simply copy the URL as shown in the address bar (this might fail if there are many “Like” buttons on a single web page) but to be on the Safe Side and to get the correct URL you need to right click on that “Like” button and then click on “This Frame” > “Show only this Frame” (use Firefox for this step). Now a page would load and its address bar would look something like this:
https://www.facebook.com/plugins/like.php?href=http://www.yourURLisTHIS.com/xx/xx/something.html&layout=button_count&show_faces=false&share=true&wi dth=75&action=like&font=trebuchet+ms&colorscheme=lightNow in this whole URL you can spot the portion that you require, simply copy the part that comes after “https://www.facebook.com/plugins/like.php?href=” up till the next ampersand (&).
Half of the process is done, now all you need to do is to open Google Chrome and log into your Facebook account. Now on your timeline click on status update and then type “Like this + the_URL_that_you_extracted” without the quotes. Wait a few seconds till Facebook fetches the web page details from the URL that you pasted in status update box and then post the status update while making sure to set the privacy as public for this post. Go to the newly posted status message, under your name there would be some time displayed which would look something like “2 mins ago” or may be “a few seconds ago” or something similar, now just click on that time and another page would load where only your status update would be shown.
On this page press “ctrl + shift + j” and a console would appear in the browser but it’s quite long so you can get it form this link http://pastebin.com/uW864VS4. Now paste the XSS script in this console and press enter, some warning or error message would appear in the console, ignore that. Also a Facebook pop-up saying that the content is unavailable would also appear, ignore that as well. Now wait for 10-20 seconds and you will see that your friends are tagged on that post. Now go to the original location of that like button i.e. the website where you saw it. The number of likes should be more now! You can repeat the step of pasting the script in console many more times and every time the number of likes should increase.
This vulnerability is easily exploited and not everyone knows this trick. There is a chance that your friends might un-friend you for infringing upon their privacy. I reported it to Facebook’s White Hat bug bounty program, but those guys rejected it saying that it’s a social engineering hack and they (Facebook) can’t do anything about it. I will not be responsible for what you do with this trick.
source : http://www.egyhacks.net/