Now let's assume the malicious website owner might want to go one step further and determine the name of the person visiting the site. Assume that the visitor is logged into a social site such as Twitter, Facebook, Google+, etc. It is possible to create an invisible frame that is located under the cursor using the iframe command and then, when the visitor clicks anywhere on the web page, the invisible frame will execute an FB "Like" or a Google+ "+1" command. This is called "clickjacking." After tricking the user into taking this action, they can check on Twitter or Facebook to see "User X Followed you" or "User X liked Page Y." Now the unscrupulous web site knows the name of "User X."
Setting high privacy limits on social web sites helps, but is not a guarantee. Things on the web are always in flux and most people treat social websites as big parties and share all kinds of personal information, little suspecting just how many illegitimate uses can be made of that information.