Clickjacking
News | 12/26/2018

User Account Timeline Manipulation overlooked by Facebook!

About: A Polish security alpha geek revealed a malicious Spam Campaign on Facebook that automatically posts link on a user’s timeline. The culprit behind this campaign is a Clickjacking Bug that publishes link to a website & amusing images on a user’s T...  Read More  

| News | User Account Timeline Manipulation overlooked by Facebook!

A Polish security researcher & analyst with the Twitter username ‘Lasq’ revealed that the Social Media Giant, Facebook is afflicted by Clickjacking Bug, which automatically add spam links on the Facebook user’s wall. The security professional discovered a technique used by miscreant & used Bug bounty program to submit the report to the company.

 

According to the resources, the ongoing Spam Campaign on Facebook seems to have a prolonged life as Facebook has denied dismissing Clickjacking Bug because it does not alters the state of the account.

Behavior of Clickjacking Bug

The Polish security expert began to analyze the Spam Campaign on Facebook after he observed many of his friends broadcasted a link to a website with amusing pictures. The Facebook users had to confirm that they were at least 16 years old before they could access humorous content.

 

Once the user clicks on the button, he will be redirected to a page with amusing & comic content and a lot of ads. Meanwhile, the same link you just clicked on will appear on user’s Facebook wall.

Clickjacking temp1

 

The security alpha geek was determined to investigate further after an iFrame Tag was detected in the source page. He also found that the iFrame contained various links & URL for sharing content on Facebook.

 

Lasq tested this suspicious iFrame Tag with popular browsers like Chrome, Edge, Internet Explorer and Firefox & found that every browser tossed X-Frame-Options Error. However, with the mobile phones this error was completely ignored. It seems the vulnerability resides in the Facebook app for android, whose role is to convey the browser if the web-pages could be downloaded in iFrames.

 

Spammers used disastrous methods to target mobile Facebook users in France & access the Share dialog button & thus permitting the miscreant to publish a link on the victim’s Facebook Timeline section without his consent.

 

Such type of attack is referred to as Clickjacking which comprises of loading a webpage using an invisible iFrame sitting atop the enticing site. All that the users are able to see is the decoy, but the interaction is with the objects within a visible layer.

Facebook’s reaction to the post

After searching thoroughly the Facebook’s documentation, the security boffin found that enabling “mobile_iframe” parameter opens share dialog frame on the top of user’s website.

 

Facebook immediately reacted to the post but declined the Clickjacking Bug & did not address the exact problem saying that it cannot be considered as a security issue as long as it does not affect an account’s integrity.

 

Researcher further added that this feature can be vastly abused by a spammer to trick Facebook users to unwillingly share objects on their Facebook wall.

Hits: 129

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866