Clickjacking Worm Exploits Facebook "Like" Feature

An anonymous reader writes "For the last 24 hours, a series of attacks have exploited Facebook's 'Like' feature through a clickjacking vulnerability. Using subjects such as 'This Girl Has An Interesting Way Of Eating A Banana, Check It Out!' hackers have spread an attack that links to web pages that use invisible iFrames to trick users into saying they like the content. Users are presented with a innocent-seeming web page that says 'Click here to continue,' but clicking at any point on the page publishes the same message to their own Facebook page. Security blogger Graham Cluley says that hundreds of thousands of Facebook users have been hit, and offers advice on how to clean up affected Facebook profiles.

caterpillar

[kervin]

Why does the Slashdot section on worms have a picture of a crawling caterpillar?

Advice

[whisper_jeff]

Graham Cluley ... offers advice on how to clean up affected Facebook profiles

Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

Just by doing that, internet/computer security would be vastly improved. Once all of our moms and computer-illiterate uncles learn that one little gem, we'll be a long ways towards solving most of the computer-related security issues. Of course there are steps after that to really nail down security but, until people stop clicking on stupid shit, we're fighting a losing battle.

Re:Advice

[Anonymous Coward]

The thing about click jacking is you don't have to click on stupid shit. You could be clicking on something entirely legitimate, or so you think.

Re:Advice

[bfields]

Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

Just by doing that, internet/computer security would be vastly improved.

Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

Once a single mouse click on an infected link is enough to propagate the link, it's already game over--the choice of bait is a detail.

Re:Advice

[WrongSizeGlass]

Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

You mean "This New Intel CPU Has A Great New Hologram! Check It Out!" won't work?

Re:Advice

[Phroggy]

Sometimes, stupid things are funny. I don't live in a bubble, and if my friends think something stupid is funny or interesting, I want to see it, because I care about what my friends think and because I find value in sharing an experience and because it might actually be worth my time.

I don't have to use Facebook, but it's how a lot of my friends choose to communicate, and my social life is healthier because of it. Many of them aren't geographically close enough to see them in person often, and those that are don't always have a compatible schedule, so Facebook allows me to stay in contact with people I wouldn't otherwise be able to (indeed, I've reconnected with people on Facebook that I haven't seen in over a decade, who are on the other side of the globe).

I think it's reasonable to expect that when I click a link to a web page, nothing bad should happen to me. In fact, nothing did happen - I'm not sure if that's because Facebook has already blocked this, or my browser has built-in security measures in place to prevent it, or (more likely) the exploit failed due to some bug or incompatibility. I looked at the HTML, saw what it was trying to do, saw that it was malicious, and went no further. That's how I WANT things to work.

Re:8===D O: == Muhammad

[RobVB]

There's something everyone can do to fix it for themselves, though: log off when you're done using Facebook. Of course, that makes it harder to tell your little friends about how you "heart" (sorry, Like) various things.

Re:8===D O: == Muhammad

[hduff]

Much simpler to abandon security-plagued Facebook, the Windows 98 of social networking sites (myspace would be the Windows 95 equivalent).