Facebook not doing enough to prevent clickjacking attacks, Sophos poll reveals
June 2010 by Sophos
With clickjacking worms becoming an increasing problem on Facebook, a study by IT security and data protection firm Sophos has revealed that 95% of those polled do not believe that Facebook is doing enough to stop them.
The attacks, dubbed ’likejacking’ by Sophos, exploit the ’Like’ button facility by automatically updating a user’s Facebook page to say that they ’like’ a third-party webpage. This update is automatically shared with the user’s Facebook friends via the website’s newsfeed, helping the attacks to spread rapidly across the social network.
Yesterday, the latest widespread attack struck Facebook users, tricking them into ’liking’ a webpage entitled ’101 Hottest Women in the World’ with a picture of Jessica Alba. Sophos conducted a poll of 600 internet users asking: "Do you think Facebook is doing enough to stop clickjacking worms?" Of those polled, 95% voted no, emphasising the urgent need for Facebook to fix the problem.
Although the attacks are yet to deliver malicious payloads, they demonstrate an exploitable weakness in the way that Facebook works, putting users at potential risk from further malware or phishing attacks.
"Facebook clearly hasn’t been security-conscious enough in the implementation of its social ’like’ plugin. This leaves the system open to abuse by spammers and scammers, and exposes users to the risk of outside threats," said Graham Cluley, senior technology consultant at Sophos. "One solution would be for Facebook to implement ways for members to make a more conscious decision as to whether they want to ’Like’ third party content or not. By having a pop-up box asking whether users are sure they want to ’Like’ a particular page, or offering the option to disable the third-party ’like’ feature entirely, the spread of these attacks would be much easier to control."
"What’s clear is that Facebook needs to set up a proper early-warning system to alert users about breaking threats. It seems wrong that the only place where Facebook users can read about the latest attacks is on the pages run by security vendors on Facebook, rather than Facebook’s own security pages," continued Cluley.