14 DAY TRIAL // Security experts fear that the introduction of iframes for Facebook Pages will open the door to even more abuse and will make the job of attackers on the social network much easier.
On Thursday, Facebook announced that Page admins can start creating Page Tabs which load apps inside iframes instead of the more restrictive FBML (Facebook Markup Language).
"[...] You can now build apps that run across Facebook (including Pages and Canvas applications) using the same simple, standards-based web programming model (HTML, JavaScript, and CSS)," Facebook's Nikolay Valtchanov said.
However, while Facebook developers were happy to hear about the changes, some security experts didn't share the enthusiasm.
"While this is no doubt great news for legitimate developers it will undoubtedly make life for those with malicious intent much easier too," notes Rik Ferguson, senior security advisor at antivirus vendor Trend Micro.
"No more likejacking required, no more having to persuade users to install your app, if a criminal can make the bait sweet enough just to get you to visit the page, that is all they will require to start the chain that leads to your computer being compromised and used for criminal purposes," he explains.
Facebook made policy changes to prevent the feature's abuse. But, of course, cybercriminals couldn't care less about terms of service.
Rogue apps are at the heart of hundreds, if not thousands, of survey scams spreading on the social networking site every single month and their creators are perfectly fine with breaking the rules.
In addition, the situation only appears to be getting worse with no signs of Facebook's security staff being able to keep up with their number.
Because of the way browsers handle iframes, they represent a good attack vector in general, not just on Facebook. A large number of drive-by download attacks launched from compromised legit websites, are perfomed via rogue iframes.