14 DAY TRIAL // A security researcher has discovered a vulnerability which can be used to force Facebook users into liking arbitrary pages. The type of attack is known as clickjacking and does not require any form of user confirmation.
The Facebook “Like” button allows users to share content they find interesting on the Web. The feature is meant to allow users with similar interests to easily find and connect to each other on the social networking website. The button can be integrated by webmasters into any page on their website via a special IFrame.
The bug was discovered by a 21-year-old student named Eric Kerr who documented it on his blog. Successful exploitation results in arbitrary content being added to the user's Facebook News Feed, and at the time of writing this article the flaw was still active.
Kerr explains that a bug in the implementation allows potential attackers to trick users into Liking malicious pages without even knowing it. This can be accomplished by hiding the button on the page via CSS and attaching it under the mouse cursor using a bit of JavaScript.
In this way, regardless of where the user clicks on the page, they will always click on the “Like” button. The most important aspect of the attack is that it all happens transparently, without users seeing any warning that they are about to Like something.
This type of attack, which is known as clickjacking or user interface (UI) redressing, can allow for the creation of so called social networking worms – malicious messages that spread virally. The existence of such a vulnerability is worrying because Facebook scams abusing the Like functionality have been particularly active lately.
“More advanced versions might use cookies to detect when a user is returning so they can actually use the site after presumably clicking the like button. Other modifications might include detection on when a user clicks the invisible iframe so it is removed without the user knowing and browsing returns to normal,” Eric Kerr warns.
You can follow the editor on Twitter @lconstantin