Clickjacking Worm Exploits Facebook "Like" Feature

An anonymous reader writes "For the last 24 hours, a series of attacks have exploited Facebook's 'Like' feature through a clickjacking vulnerability. Using subjects such as 'This Girl Has An Interesting Way Of Eating A Banana, Check It Out!' hackers have spread an attack that links to web pages that use invisible iFrames to trick users into saying they like the content. Users are presented with a innocent-seeming web page that says 'Click here to continue,' but clicking at any point on the page publishes the same message to their own Facebook page. Security blogger Graham Cluley says that hundreds of thousands of Facebook users have been hit, and offers advice on how to clean up affected Facebook profiles.

NoScript

[SlashDPC]

Thank you NoScript for stopping this for me. I knew it looked "phishy."

Re:NoScript

[bwcbwc]

Better yet, use NoScript's ABE facility to block any non-Facebook web page from loading a Facebook page or API. From http://noscript.net/abe/ :

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Re:8===D O: == Muhammad

[DeadPixels]

The real problem isn't as much of an exploit so much as it is Facebook's platform for cross-site publishing is basically broken. They allow any site to act as the user with no confirmation other than a click, which as we've seen is easy to get via an invisible iFrame that follows the mouse. Aside from revamping the way they handle "Likes" and other such things on other sites, there's not much they can do to "fix" it.