Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 14th, 2010

Facebook Users Can Be Forced Into Liking Arbitrary Pages Through Clickjacking

A security researcher has discovered a vulnerability which can be used to force Facebook users into liking arbitrary pages. The type of attack is known as clickjacking and does not require any form of user confirmation.

The Facebook “Like” button allows users to share content they find interesting on the Web. The feature is meant to allow users with similar interests to easily find and connect to each other on the social networking website. The button can be integrated by webmasters into any page on their website via a special IFrame.

The bug was discovered by a 21-year-old student named Eric Kerr who documented it on his blog. Successful exploitation results in arbitrary content being added to the user’s Facebook News Feed, and at the time of writing this article the flaw was still active.

Kerr explains that a bug in the implementation allows potential attackers to trick users into Liking malicious pages without even knowing it. This can be accomplished by hiding the button on the page via CSS and attaching it under the mouse cursor using a bit of JavaScript.

In this way, regardless of where the user clicks on the page, they will always click on the “Like” button. The most important aspect of the attack is that it all happens transparently, without users seeing any warning that they are about to Like something.

This type of attack, which is known as clickjacking or user interface (UI) redressing, can allow for the creation of so called social networking worms – malicious messages that spread virally. The existence of such a vulnerability is worrying because Facebook scams abusing the Like functionality have been particularly active lately.

“More advanced versions might use cookies to detect when a user is returning so they can actually use the site after presumably clicking the like button. Other modifications might include detection on when a user clicks the invisible iframe so it is removed without the user knowing and browsing returns to normal,” Eric Kerr warns.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Clickjacking Worm Hits Facebook, Hundreds Of Thousands Affected
  • Clickjacking Exploited On Microblogging Website
  • Facebook Hit With A New Clickjacking Worm
  • Botnet’s New Component Imitates Human Facebook Users
  • Facebook Urges Public Exposure In ‘Privacy’ Revision

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Facebook Users Can Be Forced Into Liking Arbitrary Pages Through Clickjacking

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.