Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clickjacking Worm Exploits Facebook "Like" Feature

Posted by StoneLion on from the it's-no-robert-morris dept.

An anonymous reader writes "For the last 24 hours, a series of attacks have exploited Facebook's 'Like' feature through a clickjacking vulnerability. Using subjects such as 'This Girl Has An Interesting Way Of Eating A Banana, Check It Out!' hackers have spread an attack that links to web pages that use invisible iFrames to trick users into saying they like the content. Users are presented with a innocent-seeming web page that says 'Click here to continue,' but clicking at any point on the page publishes the same message to their own Facebook page. Security blogger Graham Cluley says that hundreds of thousands of Facebook users have been hit, and offers advice on how to clean up affected Facebook profiles.

30 of 124 comments (clear)

  1. Link? by Ecuador · · Score: 5, Funny

    I hate posts without proper links...
    So, who will post the direct link to the girl with an interesting way of eating a banana?

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Link? by DeadPixels · · Score: 3, Informative

      Warning: This is a clickjacking attempt, obviously, so copy/paste the URL only if you want to see it for yourself. NoScript blocks it for me.

      http://www.mprosperstats.info/bananalike/index.htm?ref=search&sid=dpf-GrMT3GTEEuQTlotyMg.3788977952..1

    2. Re:Link? by alvinrod · · Score: 2, Interesting

      You fool, there is no girl eating a banana. It was all a ruse, a nasty trick designed to play on your insatiable curiosity for the bizarre!

      I know because I tried clicking on it :(

      Reminds me of this bash.org quote.

    3. Re:Link? by Low+Ranked+Craig · · Score: 3, Funny

      The banana is a lie!

      --
      I still cannot find the droids I am looking for...
    4. Re:Link? by Dogtanian · · Score: 2, Informative

      Reminds me of this bash.org quote.

      That's a great quote, so I kind of feel like a bastard for spoiling it, but... P2P programs generally recognise identical files by their hash value; so if the guy simply renamed some files that were already out there under their original name, they'd have used his copy for certain parts, even if people didn't search under it for that name.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    5. Re:Link? by Anonymous Coward · · Score: 2, Informative

      Probably NSFW depending how up tight your boss is:
      http://www.youtube.com/watch?v=It7cHFyms0Q

  2. I was afraid to click the link... by Robin47 · · Score: 3, Funny

    after that article.

    1. Re:I was afraid to click the link... by Flea+of+Pain · · Score: 3, Informative

      Flea of Pain like this.

      --
      Do not argue with an idiot. He will drag you down to his level and beat you with experience.
  3. caterpillar by kervin · · Score: 3, Insightful

    Why does the Slashdot section on worms have a picture of a crawling caterpillar?

    1. Re:caterpillar by WrongSizeGlass · · Score: 4, Funny

      Why does the Slashdot section on worms have a picture of a crawling caterpillar?

      They do it just to bug people ;-)

    2. Re:caterpillar by maxume · · Score: 2, Informative

      If it helps, those are often called inchworms.

      --
      Nerd rage is the funniest rage.
  4. NoScript by SlashDPC · · Score: 4, Informative

    Thank you NoScript for stopping this for me. I knew it looked "phishy."

    1. Re:NoScript by bwcbwc · · Score: 4, Informative

      Better yet, use NoScript's ABE facility to block any non-Facebook web page from loading a Facebook page or API. From http://noscript.net/abe/ :

      # This one allows Facebook scripts and objects to be included only
      # from Facebook pages
      Site .facebook.com .fbcdn.net
      Accept from .facebook .fbcdn.net
      Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

      --
      We are the 198 proof..
    2. Re:NoScript by Anonymous Coward · · Score: 4, Interesting

      Here's the line from my unbound.conf that solves all Facebook related problems for me:
      local-zone: "facebook.com." static
      followed by no local-data lines.
      I see "address not found" error messages on lots of web pages: Facebook iframes are freaking everywhere. No more.

    3. Re:NoScript by snl2587 · · Score: 2, Interesting

      Reason #1 why I refuse to switch to Chrome.

    4. Re:NoScript by smcn · · Score: 2, Informative

      A similar technique for Privoxy users can be found here: http://bmearns.net/wwk/view/Privoxy

      By default it only stops cookies. At the bottom of the page it is explained how to block all Facebook access from third party sites.

  5. Advice by whisper_jeff · · Score: 3, Insightful

    Graham Cluley ... offers advice on how to clean up affected Facebook profiles

    Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

    Just by doing that, internet/computer security would be vastly improved. Once all of our moms and computer-illiterate uncles learn that one little gem, we'll be a long ways towards solving most of the computer-related security issues. Of course there are steps after that to really nail down security but, until people stop clicking on stupid shit, we're fighting a losing battle.

    1. Re:Advice by gEvil+(beta) · · Score: 2, Funny

      Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

      I can't wait till a link from the Idle section turns out to be serving up malware...

      --
      This guy's the limit!
    2. Re:Advice by Anonymous Coward · · Score: 3, Insightful

      The thing about click jacking is you don't have to click on stupid shit. You could be clicking on something entirely legitimate, or so you think.

    3. Re:Advice by bfields · · Score: 5, Insightful

      Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

      Just by doing that, internet/computer security would be vastly improved.

      Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

      Once a single mouse click on an infected link is enough to propagate the link, it's already game over--the choice of bait is a detail.

    4. Re:Advice by WrongSizeGlass · · Score: 4, Insightful

      Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

      You mean "This New Intel CPU Has A Great New Hologram! Check It Out!" won't work?

    5. Re:Advice by vlm · · Score: 5, Funny

      Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

      OK I'm all confused now. Just answer the question, is "Why Apple Is So Sticky" safe to click on or not?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    6. Re:Advice by Phroggy · · Score: 4, Insightful

      Sometimes, stupid things are funny. I don't live in a bubble, and if my friends think something stupid is funny or interesting, I want to see it, because I care about what my friends think and because I find value in sharing an experience and because it might actually be worth my time.

      I don't have to use Facebook, but it's how a lot of my friends choose to communicate, and my social life is healthier because of it. Many of them aren't geographically close enough to see them in person often, and those that are don't always have a compatible schedule, so Facebook allows me to stay in contact with people I wouldn't otherwise be able to (indeed, I've reconnected with people on Facebook that I haven't seen in over a decade, who are on the other side of the globe).

      I think it's reasonable to expect that when I click a link to a web page, nothing bad should happen to me. In fact, nothing did happen - I'm not sure if that's because Facebook has already blocked this, or my browser has built-in security measures in place to prevent it, or (more likely) the exploit failed due to some bug or incompatibility. I looked at the HTML, saw what it was trying to do, saw that it was malicious, and went no further. That's how I WANT things to work.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    7. Re:Advice by Khyber · · Score: 3, Interesting

      "P.S: Do we have to remind people that this shit work only on M$ platform?"

      iFrame malware isn't *JUST* a Windows issue. Think harder next time.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  6. Re:StoneLion by tomhudson · · Score: 3, Interesting

    If you click on his name, it shows he's one of those social media guys. "Slight" would be an understatement, and understandably - it's his job.

    Plus, Facebook is in the news for its' privacy screw-ups. They have less than 3 months left in their deal with the Canadian government to bring their site into compliance with Canadian law (which is what got the whole "Facebook has a privacy problem" thing going 9 months ago, and got other governments to then launch similar probes).

  7. Fix is right here by vlm · · Score: 3, Informative

    and offers advice on how to clean up affected Facebook profiles.

    No problemo, just click right here:

    http://www.facebook.com/group.php?gid=16929680703

    The title is "How to permanently delete your facebook account." Or, is it?

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  8. Re:8===D O: == Muhammad by DeadPixels · · Score: 4, Informative

    The real problem isn't as much of an exploit so much as it is Facebook's platform for cross-site publishing is basically broken. They allow any site to act as the user with no confirmation other than a click, which as we've seen is easy to get via an invisible iFrame that follows the mouse. Aside from revamping the way they handle "Likes" and other such things on other sites, there's not much they can do to "fix" it.

  9. Yep, saw it last night. by dasunst3r · · Score: 3, Informative

    Out of curiosity, I opened the link in a separate browser without my Facebook login. It would then try to do a "security check" in which you have to answer a survey to prove that you're human. Being the smart Slashdotters we are, we know Captchas are how it's done. The main take-away: (1) Hover, look, and think before you click and (2) If the link goes outside Facebook, it is SPAM and should be reported.

  10. Re:8===D O: == Muhammad by RobVB · · Score: 3, Insightful

    There's something everyone can do to fix it for themselves, though: log off when you're done using Facebook. Of course, that makes it harder to tell your little friends about how you "heart" (sorry, Like) various things.

    --
    I'd rather you rationally disagree than irrationally agree.
  11. Re:8===D O: == Muhammad by hduff · · Score: 2, Insightful

    Much simpler to abandon security-plagued Facebook, the Windows 98 of social networking sites (myspace would be the Windows 95 equivalent).

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert