- The worm’s code is being used by a group of spammers to exploit a vulnerability in the Facebook platform and post spam on users’ Facebook walls.
- The vulnerability in question results in clickjacking and resides only in the mobile version of the Facebook sharing dialog/popup.
A proof-of-concept that could be used to create a Facebook worm was recently published online. Anyone looking to target users on Facebook could use the worm to spread malware and perform other nefarious activities.
Facebook worm’s capabilities
A Polish security researcher, who goes by the pseudonym Lasq on Twitter, observed that the worm code is being used by a group of spammers to exploit a vulnerability in the Facebook platform and post spam on users’ Facebook walls. The vulnerability in question results in clickjacking and resides only in the mobile version of the Facebook sharing dialog/popup.
“So, yesterday there was this very annoying SPAM campaign on Facebook, where a lot of my friends published a link to what seemed like a site hosted on AWS bucket. It was some link to a french site with funny comics, who wouldn't click it right?” Lasq said in a blog.
Explaining the aftermath of clicking on the spam link, Lasq wrote, “After you clicked on the link, the site hosted on AWS bucket appeared. It asked you to verify if you are 16 or older (in French) in order to access the restricted content. After you clicked on the button, you were indeed redirected to a page with a funny comic (and a lot of ads). However, in the meantime, the same link you just clicked appeared on your Facebook wall. How is this possible?”
Lasq said that Facebook ignored the ‘X-Frame-Options’ security header for the mobile sharing dialog and this caused the clickjacking attacks.
Facebook ignores the issue
Although the issue was reported to Facebook, the company has declined to fix the problem.
“As expected Facebook declined the issue, despite me trying to underline that this has security implications. They stated that for the clickjacking to be considered a security issue, it must allow an attacker to somehow change the state of the account (so for example disable security options, or remove the account),” said Lasq.
The researcher argued that the company needs to take the issue seriously as this technique could allow hackers to easily propagate messages containing malware or phishing sites.
“In my opinion they should fix this. As you can see this 'feature' can be extremely easily abused by an attacker to trick Facebook users to unwillingly share something on their wall. I cannot stress enough how dangerous this is. This time it was only exploited to spread spam, but I can easily think of much more sophisticated usage of this technique,” Lasq added.
Responding to ZDNet on the issue, Facebook’s spokesperson said that the company is continuously working on improving the detection of clickjacking attack.
“To help prevent abuse, we use clickjacking detection systems for any iframeable plugin product. We continuously improve these systems based on signals we observe. Independently of this report, earlier this week we made improvements to our clickjacking detections that mitigate the risks described in the researcher's report,” said the spokesperson, ZDNet reported.