The Clickjacking Bug that Facebook Won’t Fix [bleepingcomputer]

A security professional exposed to a spam campaign on Facebook discovered the method used by the perpetrator and submitted a report through the company’s bug bounty program. The issue still exists because Faceboook dismissed it on on the grounds that it does not change the state of the account.

Proof-of-concept code demonstrates how easy it would be for an app developer to distribute arbitrary links over Facebook.

Spam campaign piques interest

The expert started to analyze the spam campaign after noticing that many of their friends published a link to a website with funny pictures. Before reaching the chucklesome content, users had to declare that they were at least 16 years old.

“After you clicked on the button, you were indeed redirected to a page with funny comic (and a lot of ads). However in the meantime the same link you just clicked appeared on your Facebook wall,” the security boffin says in a blog post today.

An iFrame tag in the source page raised suspicions and determined researcher to investigate. He found that the iFrame contained multiple links as well as a URL for sharing content on Facebook.

The method used by the spammer targeted mobile Facebook users in France and gave access to the Share dialog button allowing the perpetrator to publish a link in the victim’s Timeline section without consent.

It looks like the web browser in Facebook app for Android ignores the X-Frame-Options response header, whose role is to tell the browser if it can load or not webpages in iFrames. On desktop browsers, though, the header responds as it should and denies loading the iFrame.

This type of attack is called clickjacking and it consists loading a web page into an invisible iFrame sitting atop the decoy site. All the user sees is the decoy, but the interaction is with objects on the invisible layer.

For more, click here.