Facebook is cleaning up after a clickjacking attack that
infiltrated the social networking site this week -- and security
experts say this won't be the last such attack.
Clickjacking, in which an attacker slips a malicious link or
malware onto a legitimate Web page that appears to contain normal
content, is an emerging threat experts have been warning about. The
attack on Facebook was in the form of a comment on a user's account
with a photo that lured the victim to click on it. The embedded
link took the victim to a Web page that presented like a CAPTCHA or
Turing test, and asked the user to click on a blue "Share" button
on the Facebook page.
Once clicked, the victim is redirected to a YouTube video, and then
the same post shows up on the victim's account and thus tries to
infect his or her friends. Security experts say the attack appeared
to be more of a prank or trial balloon, and it affects only Firefox
and Chrome browsers, according to security expert Krzysztof
Kotowicz, who blogged about the attack this week.
Facebook has now blocked the URL to the malicious site, fb.59.to.
"This problem isn't specific to Facebook, but we're always working
to improve our systems and are building additional protections
against this type of behavior. We've blocked the URL associated
with this site, and we're cleaning up the relatively few cases
where it was posted -- something email providers, for example,
can't do," a Facebook spokesperson says.
Robert "RSnake" Hansen, CEO of SecTheory -- who, along with
Jeremiah Grossman, CTO of WhiteHat Security, warned the industry
about the threat of clickjacking more than a year ago -- says
Facebook and most other sites don't employ much anti-clickjacking
protection.
"This could be the beginning of a new wave of anti-Facebook
clickjacking worms," Hansen says. "This same concept has already
hit Twitter several times. It generally takes a few attacks for
companies like this to wake up and realize the problem doesn't
magically go away just by blocking one link."
But Facebook's spokesperson says the social networking site is also
"working against these attacks on a number of fronts," including
deframing scripts and X-Frame options. Hansen recommends employing
both of these methods to combat clickjacking.
The clickjacking concept is really nothing new, but Hansen and
Grossman last year discovered a brand of clickjacking that spans
browser families and doesn't even require a user to click on
anything. Just loading a compromised page sets off the attack, and
clicking on that page will likely make things worse for the victim,
they say. Clickjacking is both a Web and a browser problem, but the
fixes likely need to come from the browser vendors. But a fix goes
to the way browsers work, which means there's no simple fix.
"Clickjacking is such an easy attack and one that is completely
unaddressed. We'll see much more of this, especially across the
social networks," WhiteHat's Grossman says.
Kotowicz blogged that the clickjacking attack contains malicious
iFrames, and that the reason the attack didn't affect Internet
Explorer and Opera is due to an incorrect HTML in one of the
pages.
Meanwhile, Facebook is reminding users to be wary of any posts,
messages, or links on Facebook or anywhere else that appear
suspicious, the Facebook spokesperson says.