[chc]

For everyone talking about JavaScript: As far as I can tell, this is fundamentally a CSS vulnerability. Something quite similar ought to be possible without JavaScript — it would just be a bit less elegant. For example, you could just make a pixel grid of divs to simulate mousemove events and position the fake cursor with CSS hover styles.

[jonny_eh]

Sounds plausible (and I'd love to see an example!), but would hardly be worth the effort if JS would catch 99% of the victims.

[jackshepherd]

Actually just CSS won't work in this case - because the Facebook Like button is within an iFrame. This works because Javascript cycles show/hide a transparant div above the Like button.