14 DAY TRIAL // The Facebook staff has been hard at work to squash a new worm propagating on the social networking platform with the help of unwary users. Using the image of a female model in lingerie as lure, the nuisance spread from wall to wall through a Web exploitation technique known as clickjacking.
This most recent attack doesn't appear to have had a malicious component and was most likely a proof of concept. The rogue Facebook posts featured the picture of an attractive female model looking over her shoulder and an accompanying message reading "Wanna C Somthin' HOT!?? Click Da' Button, Baby!" Choosing to comply with the instruction while being logged into Facebook did nothing more than re-post the message without authorization on your own wall, thus propagating it further.
The trick was so well crafted and intriguing that it even managed to trick some security professionals. "The worm's landing page is brilliant -- alluring yet mysterious, and very clean, just like we techies like it. […] As a personal lesson, I have to admit mea culpa. I saw the worm being posted from a friend's page and didn't believe it to be dangerous because the lure is pretty cool," Gadi Evron, a reputed security consultant and former Israeli CERT manager, writes for Dark Reading.
After analyzing the worm, Nick FitzGerald, emerging threats researcher at antivirus vendor AVG, concluded that the attack technique used was cross-site request forgery (CSRF). "A sequence of iframes on the exploit page call a sequence of other pages and scripts, eventually resulting in a form submission to Facebook 'as if' the victim had submitted a URL for a wall post and clicked on the 'Share' button to confirm the post," he explains.
However, the Facebook staff disagrees with the CSRF assessment and says that a technique known as clickjacking, or in technical lingo, user interface redressing, is the culprit. Clickjacking is a term referring to an entire class of attacks that affect all browsers and involve overlapping hidden buttons onto visible ones. Therefore, when a user attempts to click the legit button in order to perform an apparently harmless action, their mouse click is hijacked and used to trigger an unintended one.
"This problem isn’t specific to Facebook, but we’re always working to improve our systems and are building additional protections against this type of behavior. We’ve blocked the URL associated with this site, and we’re cleaning up the relatively few cases where it was posted," a Facebook spokesperson commented for The Register.
Clickjacking is a growing concern amongst the infosec community and browser vendors have yet to completely address it. The technique is actually exploiting an architectural flaw at the core of the Web; therefore, it is difficult to mitigate without breaking other legit functionality.
This doesn't mean that users are completely exposed. For example, Firefox users can protect themselves against most of these attacks by installing a popular security extension called NoScript.
With Internet Explorer 8, Microsoft also introduced a directive called X-FRAME-OPTIONS that web developers can declare on their websites in order to counter clickjacking abuse. Unfortunately, this means that IE8 users have to rely on website owners to protect them, which is not very practical.
