A Polish security researcher & analyst with the Twitter username ‘Lasq’ revealed that the Social Media Giant, Facebook is afflicted by Clickjacking Bug, which automatically add spam links on the Facebook user’s wall. The security professional discovered a technique used by miscreant & used Bug bounty program to submit the report to the company.
According to the resources, the ongoing Spam Campaign on Facebook seems to have a prolonged life as Facebook has denied dismissing Clickjacking Bug because it does not alters the state of the account.
The Polish security expert began to analyze the Spam Campaign on Facebook after he observed many of his friends broadcasted a link to a website with amusing pictures. The Facebook users had to confirm that they were at least 16 years old before they could access humorous content.
Once the user clicks on the button, he will be redirected to a page with amusing & comic content and a lot of ads. Meanwhile, the same link you just clicked on will appear on user’s Facebook wall.
The security alpha geek was determined to investigate further after an iFrame Tag was detected in the source page. He also found that the iFrame contained various links & URL for sharing content on Facebook.
Lasq tested this suspicious iFrame Tag with popular browsers like Chrome, Edge, Internet Explorer and Firefox & found that every browser tossed X-Frame-Options Error. However, with the mobile phones this error was completely ignored. It seems the vulnerability resides in the Facebook app for android, whose role is to convey the browser if the web-pages could be downloaded in iFrames.
Spammers used disastrous methods to target mobile Facebook users in France & access the Share dialog button & thus permitting the miscreant to publish a link on the victim’s Facebook Timeline section without his consent.
Such type of attack is referred to as Clickjacking which comprises of loading a webpage using an invisible iFrame sitting atop the enticing site. All that the users are able to see is the decoy, but the interaction is with the objects within a visible layer.
After searching thoroughly the Facebook’s documentation, the security boffin found that enabling “mobile_iframe” parameter opens share dialog frame on the top of user’s website.
Facebook immediately reacted to the post but declined the Clickjacking Bug & did not address the exact problem saying that it cannot be considered as a security issue as long as it does not affect an account’s integrity.
Researcher further added that this feature can be vastly abused by a spammer to trick Facebook users to unwillingly share objects on their Facebook wall.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.