Add to del.icio.us     Digg this

June 2, 2010

A security flaw on Facebook forced hundreds of thousands of the site's users to directly endorse a series of Web pages over the Memorial holiday weekend, making the social networking site the latest venue for broad hacker attacks known as clickjacking.

The security exploit works by presenting users with friend profiles that recommend links with titles including "WOW: This young girl gets owned after a police officer reads her status message."

Users who click on the link see a page that's blank except for the words "Click here to continue." Clicking anywhere on the page automatically forces the person to add the link to his list of favorites.

Clickjacking is a term that was coined in late 2008 by web application security researchers Jeremiah Grossman and Robert Hansen. It describes attacks that allow malicious site publishers to control the links visitors click on.

About all browsers are vulnerable, although some come with certain safeguards that can make exploitation harder, although they are far from being perfect.

For its part, Twitter was also attacked a few weeks ago by a series of clickjacking exploits that forced users to publish tweets against their own intention. The exploits stopped after Twitter technicians finally tightened down their site.

Facebook's technicians will undoubtedly follow suit, if they haven't already. But this isn't the first time Facebook has been hit by clickjacking; it also happened in February and last year in December.

The Facebook virus attack that hit over the Memorial Day weekend superimposes an invisible iFrame over the entire Web page that links back to the victim's Facebook page.

As a result of all of this, as long as the person is still logged in, his profile automatically recommends the link to new friends as soon as the page is clicked on.

We will keep you posted if we see other similar social sites with security vulnerabilities.

Add to del.icio.us     Digg this

Source: ISDR.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.