2018 hasn’t been easy on Facebook. The social platform has been through some dramatic data and security breaches that affected millions of its users. Facebook also experienced several drops on the stock market.
It is interesting to note that Facebook’s biggest drop of the year occurred on July 26, one day after hitting its peak of $217.50.
Clickjacking Bug in the Mobile Version of Facebook’s Sharing Pop-Up Discovered
In addition to the privacy scandals, Facebook has also been targeted by threat actors, with malware campaigns successfully exploiting the network and its users. To top all that off, a security researcher known as Lasq has just published a proof-of-concept code about creating a fully functional Facebook worm. The PoC code is based on a specific security vulnerability residing in the mobile version of the Facebook sharing pop-up. Fortunately, the desktop version of the platform is not affected.
According to the researcher, a clickjacking vulnerability exists in the mobile sharing dialogue that can be exploited via iframe elements. It is important to note that the flaw has been abused in real-time attacks by a group of hackers that distributes spam. The group has been posting spam links on the walls of Facebook users.
Lasq wrote about “this very annoying SPAM campaign on Facebook, where a lot of my friends published a link to what seemed like a site hosted on AWS bucket” in a blog post. The link was to a French site with comics, he added. What happened next?
After you clicked on the link, the site hosted on AWS bucket appeared. It asked you to verify if you are 16 or older (in French) in order to access the restricted content. After you clicked on the button, you were indeed redirected to a page with funny comic (and a lot of ads). However in the meantime the same link you just clicked appeared on your Facebook wall.
Lasq believes that all of this is possible because Facebook is ignoring the F-Frame-Options security header for the mobile sharing dialogue. This header is used by websites to prevent their code from being loaded inside iframes. This serves as a crucial protection against clickjacking attacks.
The researcher indeed spotted a suspicious iframe tag, which “smelled of clickjacking”. The frame led to another AWS hosted page, which led to another which finally led to a Facebook url. Lasq contacted Facebook to inform them about the problem but they declined to address it:
As expected Facebook declined the issue, despite me trying to underline that this has security implications.They stated that for the clickjacking to be considered a security issue, it must allow attacker to somehow change the state of the account (so for example disable security options, or remove the account).
Lasq, on the other hand, believes that Facebook should take the issue seriously and should issue a patch, because the “feature can be extremely easily abused by an attacker to trick Facebook users to unwillingly share something on their wall”. The technique can be abused in many other ways, not only for the distribution of spam, the researcher stressed. This can be exploited to perform self-propagating malware and phishing campaigns delivered via spam messages.