14 DAY TRIAL // Researchers from security vendor Websense warn that Facebook's features are abused by attackers to craft believable email phishing attacks that target its own users.
The fake emails purport to come from the Facebook Security team and warn users that their accounts will be deactivated because of abusive actions.
"Your account will be deactivated immediately. Because someone has reported your actions. Maybe you have written content that is abusive or upload a picture that can be insulting or harmful to other users," the messages read.
Recipients are instructed to "confirm" their account in order to stop it from being deactivated by visiting a special link.
In some cases the contained link points to a rogue Facebook application page hosted on the social networking website itself. The URL is of the form http://apps.facebook.com/[app_name]/.
The Facebook application platform allows loading content from third party servers via an iframe, a feature which attackers have abused to load a page mimicking the Facebook sign-in form.
In other cases the hackers used Facebook's open redirect script, through which all requests from the social nework to outside URLs are being passed.
"Both of these attacks make it harder for the user to spot the malicious content directly from the email. Both messages do point to a valid Facebook URL," the Websense researchers explain.
"In addition, the inclusion of valid Facebook URLs makes protecting users somewhat harder for anti-spam solutions and Web filtering products that rely on heavily URL filtering to classify content," they warn.
Similar attacks, namely rogue content loaded in iframes and redirects, can be launched on any website vulnerable to cross-site scripting (XSS), a common type of Web vulnerability.
However, they are not very practical, because the security hole can be quickly closed to render them inactive. Facebook, on the other hand, cannnot kill these features, because thousands of applications and millions of users depend on them.