Friday, June 18, 2010

Facebook, clickjacking and lifejacking

Users of Facebook are falling victim to a new type of attack called “clickjacking” or “lifejacking”. Facebook users see links that their friends appear to have liked, some of those currently in circulation include “World Cup 2010” and “This man takes a picture of himself every day for 8 years”. When a Facebook user clicks on one of these links they are taken to another page which asks them to carry out a simple action such as clicking a button to confirm that they are over 18, when they do this the link is added to their Facebook profile saying that they “like” the site.

There currently appears to be no malcious intent behind these attacks but it is not difficult to see how they could be used to install malware on a user’s computer or perpetrate a phishing attack.

The attack works by using iFrames, essentially invisible buttons, which in this case cover the entire page. When the user clicks they end up clicking the invisible button. In the attacks seen so far the invisible button is a Facebook “like” button.

Once again, this is going to bring into question, the use of social media sites like Facebook within businesses as quite sophisticated security solutions will be required to prevent attacks of this sort.

2 comments:

  1. I was unaware of this attack..though the IT is emerging there are many security concerns!


    Sales Job Descriptions

    ReplyDelete
  2. Just yesterday, I clicked on a link to a video that one of my friends put on her Wall, and the link got me to a page where a Youtube video was embedded, so I clicked on the "play" button. I listened to the video, and didn't like it so I just closed the window and continued my normal usage of Facebook. It's only later that I realized that the video was now on my Wall (as if I had added a link on my Wall, but I didn't!). I hate the idea that someone other than me could put something up on my Wall!!!

    ReplyDelete