The Facebook likejacking browser vulnerability

Facebook JavaScript attacks using a known scripting vulnerability in browsers doesn’t appear to be going away very soon (as the HTML specification actually make allowances for cross-site scripting). Facebook isn’t alone in attempting to address the malicious script redirects as malware writers know only too well that all browsers suffer from this scripting flaw. You don’t have to be a hacker to succeed with this technique! Check out my post ‘The Facebook ‘Like’ button JavaScript threat is real”. Facebook is unfortunate in one way, in that it is the most discussed website on the planet. So it ends up with lots of criticism when it comes to security exploits and privacy control.

For those of you who want to learn how to stop malicious scripts (including non-malicious scripts) from executing in a browser I suggest you read “How to manage website scripts using browser addons”. Here is a simple example of a likejacking attack:

  • Fake videos or provocative images are published on Facebook and propagates via one friend and then their friends and so on
  • Social engineer a user to click on a button/link to view the video(s) /view image(s) using enticement (i.e. online survey or special promotion)
  • Hidden underneath the video or image will be a “Like” button using what we call in the coding industry ‘UI redressing’. * This is when users are redirected to the malicious website

*In-app/website notifications might be useful here Facebook 🙂 but I’d suggest using a script blocker (see my previous link above). Website admins should also consider using a FrameKiller JavaScript snippet, but not all admins follow a secure SDLC.

Lastly I suggest you review your news feed and delete any offending items. Notify your friends too. You can remove any items from the ‘Facebook Timeline – it’s your final decision’, which for me provides more flexibility and control (using ‘Activity Log’) of news and status/news updates than the previous version. This might come as a surprise to some of my readers, but rest assured you’ll know what I mean when you start using the Timeline Activity Log.

Safe surfing folks!

This entry was posted in browser, facebook and tagged , , , . Bookmark the permalink.

2 Responses to The Facebook likejacking browser vulnerability

  1. Pingback: The Facebook likejacking browser vulnerability | News | IT Security Magazine - Hakin9

  2. BeatWAP says:

    hey folks thanks for sharing,

Leave a Reply

Your email address will not be published. Required fields are marked *