The Facebook ‘Like’ button JavaScript threat is real

You couldn’t have failed to notice that yesterday Facebook announced the ‘Like’ function will now share your ‘Likes’ which will include the story, thumbnail, headline and link on your profile wall. You will also be able to comment on the link. Plain and simple, this change is all about data collection and marketing analysis which I don’t object too, but it would be nice to know where my ‘likes’, ‘shares’, ‘status updates’, ‘app data’ and so on is going too. So rather than discuss data privacy (which is of course a hot topic for me), I thought I would do some research about the security issues surrounding the ‘like’, or is that ‘Share’ 🙂 function.

This got me thinking about the ‘one click’ JavaScript’s (see below for What is JavaScript?) that are being used across the Web right now, including of course the ‘Like’ function on Facebook. What if a hacker developed JavaScript that changed the ‘one click’ ‘Like’ function, so that it dropped some malicious malware onto your PC? From searching the Darknet (see below for What is Darknet?) I came across some hackers who claimed they have developed a script that would function exactly like the ‘like’ function on Facebook, but instead of only allowing you to post that ‘Like’, it also dropped some malicious files onto your PC which would easily take control of your profile. Clever – hackers are always on the lookout for new exploits.

The hackers appear to have created a malicious script that could be delivered via an iFrame threat vector, phishing email or worse still from a genuine website. The script would exploit JavaScript vulnerabilities (i.e. DOM-based Cross Site Scripting or XSS)  including hijacking your Facebook profile page (or user sessions) by changing your email address, posting malicious links to your News Feeds and Status Updates, so you wouldn’t know when or where your account has been accessed. Worse still, you would be unable to access your profile and therefore be unable to access your Facebook – someone else would have that control.

IBM in a recent report (Jan 2011) on Cross Site Scripting examined 500 websites of the largest privately listed US organisations and 175 otherwise popular sites. It found slightly over 14% of the sites contained the DOM-based Cross Site Scripting (XSS) but this figure would have been more than likely much higher given they only examined about 200 pages per site. This is yet further conclusive evidence that JavaScript is a real problem for webmasters and in particular end-users of social networking sites like Facebook.

What is JavaScript? It is a computer programming language that runs on client PCs and is used to make Web pages for users more interactive. The major advantage is JavaScript doesn’t require constant downloads (only for updates).

What is the Darknet? This is a closed (and in some cases it can be “open” to the public) private network of computers used for file sharing. You need to know where to look and use social engineering skills to open the doors.

Safe surfing folks!

This entry was posted in browser, facebook and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *