Forgot your password?
typodupeerror
Security Worms Social Networks

Clickjacking Worm Exploits Facebook "Like" Feature 124

Posted by StoneLion
from the it's-no-robert-morris dept.
An anonymous reader writes "For the last 24 hours, a series of attacks have exploited Facebook's 'Like' feature through a clickjacking vulnerability. Using subjects such as 'This Girl Has An Interesting Way Of Eating A Banana, Check It Out!' hackers have spread an attack that links to web pages that use invisible iFrames to trick users into saying they like the content. Users are presented with a innocent-seeming web page that says 'Click here to continue,' but clicking at any point on the page publishes the same message to their own Facebook page. Security blogger Graham Cluley says that hundreds of thousands of Facebook users have been hit, and offers advice on how to clean up affected Facebook profiles.
This discussion has been archived. No new comments can be posted.

Clickjacking Worm Exploits Facebook "Like" Feature

Comments Filter:
  • Link? (Score:5, Funny)

    by Ecuador (740021) on Monday May 31, 2010 @11:21AM (#32407338) Homepage

    I hate posts without proper links...
    So, who will post the direct link to the girl with an interesting way of eating a banana?

    • Re:Link? (Score:4, Informative)

      by DeadPixels (1391907) on Monday May 31, 2010 @12:02PM (#32407748)
      Warning: This is a clickjacking attempt, obviously, so copy/paste the URL only if you want to see it for yourself. NoScript blocks it for me.

      http://www.mprosperstats.info/bananalike/index.htm?ref=search&sid=dpf-GrMT3GTEEuQTlotyMg.3788977952..1
      • by hduff (570443)

        So is there a safe link to the bananna-eating girl pic? Just asking as a public service since it seems a lot of people want to see it.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Probably NSFW depending how up tight your boss is:
          http://www.youtube.com/watch?v=It7cHFyms0Q [youtube.com]

          • If it wasn't for the "porn pros" watermark on the video and the title "world's best deep throat" it would be just fine for work. The video itself is safe, it is just a fully clothed blonde eating a very large banana in one bite.
      • by Dumnezeu (1673634)

        404

    • Re: (Score:3, Interesting)

      by alvinrod (889928)
      You fool, there is no girl eating a banana. It was all a ruse, a nasty trick designed to play on your insatiable curiosity for the bizarre!

      I know because I tried clicking on it :(

      Reminds me of this bash.org quote. [bash.org]
      • Re: (Score:3, Informative)

        by Dogtanian (588974)

        Reminds me of this bash.org quote.

        That's a great quote, so I kind of feel like a bastard for spoiling it, but... P2P programs generally recognise identical files by their hash value; so if the guy simply renamed some files that were already out there under their original name, they'd have used his copy for certain parts, even if people didn't search under it for that name.

        • So...
          Couldn't one just find out the hash values of the pieces of the files they are downloading and generate random data until the hash value matches?

          Slow, yes.
          Generating a movie randomly? Priceless..

    • Re:Link? (Score:4, Funny)

      by Low Ranked Craig (1327799) on Monday May 31, 2010 @12:50PM (#32408246)
      The banana is a lie!
    • Re: (Score:1, Funny)

      by Anonymous Coward
      So, who will post the direct link to the girl with an interesting way of eating a banana?

      I will. Here it is. [glumbert.com]

      That video's got to be at least 3 years old, and I'm still impressed.
    • you see THIS http://i48.tinypic.com/10h8t2p.jpg [tinypic.com] before you fill in the survey and this http://i47.tinypic.com/260pmpk.png [tinypic.com] after. essentially it's a screenshot from lamebook.com
  • by Robin47 (1379745) on Monday May 31, 2010 @11:26AM (#32407396)
    after that article.
  • caterpillar (Score:4, Insightful)

    by kervin (64171) on Monday May 31, 2010 @11:29AM (#32407412) Homepage

    Why does the Slashdot section on worms have a picture of a crawling caterpillar?

    • by WrongSizeGlass (838941) on Monday May 31, 2010 @11:50AM (#32407666)

      Why does the Slashdot section on worms have a picture of a crawling caterpillar?

      They do it just to bug people ;-)

    • Re: (Score:2, Informative)

      by maxume (22995)

      If it helps, those are often called inchworms.

      • by Tim C (15259)

        In the US perhaps; I've never heard the term here in the UK - not that I talk about caterpillars very often of course...

        • by SnowZero (92219)

          According to wikipedia, they are the caterpillar form of the geometer moth [wikipedia.org], which are commonly called loopers, spanworms, or inchworms. There are apparently 300 varieties in the UK and over 1200 in North America, so it seems to be pretty common both places.

        • The big hungry inchworm wouldn't have sold nearly so well.

        • by nospam007 (722110) *

          In the US perhaps; I've never heard the term here in the UK.

          You got metric, it's the common 2,54cm worm.

      • Pff. Give worms an inch and they’ll take a mile.

    • by FooAtWFU (699187)

      Why does the Slashdot section on worms have a picture of a crawling caterpillar?

      Because it's cute and fuzzy, obviously. Also, I like pretty butterflies. ./~ <3

  • NoScript (Score:4, Informative)

    by SlashDPC (931574) on Monday May 31, 2010 @11:29AM (#32407416)

    Thank you NoScript for stopping this for me. I knew it looked "phishy."

    • Re:NoScript (Score:5, Informative)

      by bwcbwc (601780) on Monday May 31, 2010 @11:46AM (#32407606)

      Better yet, use NoScript's ABE facility to block any non-Facebook web page from loading a Facebook page or API. From http://noscript.net/abe/ [noscript.net] :

      # This one allows Facebook scripts and objects to be included only
      # from Facebook pages
      Site .facebook.com .fbcdn.net
      Accept from .facebook .fbcdn.net
      Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

      • Re:NoScript (Score:4, Interesting)

        by Anonymous Coward on Monday May 31, 2010 @11:53AM (#32407682)

        Here's the line from my unbound.conf that solves all Facebook related problems for me:
        local-zone: "facebook.com." static
        followed by no local-data lines.
        I see "address not found" error messages on lots of web pages: Facebook iframes are freaking everywhere. No more.

      • by asdf7890 (1518587)
        I've just tried this with the latest NoScript in an otherwise default configuration, and it seems stop facebook itself from operating (which depending on your opinion of such things, may or may not be a bad result!).
        • by sdstuart (1125031)
          The .com was left off in the "Accept from" list. Try this version with it added, it works for me. # This one allows Facebook scripts and objects to be included only # from Facebook pages Site .facebook.com .fbcdn.net Accept from .facebook.com .fbcdn.net Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
      • Re: (Score:3, Informative)

        by smcn (87571)

        A similar technique for Privoxy users can be found here: http://bmearns.net/wwk/view/Privoxy [bmearns.net]

        By default it only stops cookies. At the bottom of the page it is explained how to block all Facebook access from third party sites.

      • Thanks, I’ll be blocking those domains in AdBlock now...

        facebook.com$third-party,domain=~fbcdn.net
        fbcdn.net$third-party,domain=~facebook.com

        That should ensure that content from both domains will work together on the Facebook site itself... I’ll have to wait until I get home to actually test them, though.

        (I knew facebook.com obviously but I also knew there was a 2nd domain that I didn’t remember off the top of my head.)

        Oh, and here’s a freebie (it got used on this page, in fact):

        #a(hr

        • Strike that, seems that these are the required filters. The ones I posted earlier don’t seem to do anything.

          ||facebook.com^$third-party,domain=~fbcdn.net
          ||fbcdn.net^$third-party,domain=~facebook.com

    • NoScript rocks. Being using it for a long time and will be for time to come
    • Re: (Score:3, Interesting)

      by snl2587 (1177409)

      Reason #1 why I refuse to switch to Chrome.

      • About that...

  • Advice (Score:3, Insightful)

    by whisper_jeff (680366) on Monday May 31, 2010 @11:31AM (#32407444)

    Graham Cluley ... offers advice on how to clean up affected Facebook profiles

    Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

    Just by doing that, internet/computer security would be vastly improved. Once all of our moms and computer-illiterate uncles learn that one little gem, we'll be a long ways towards solving most of the computer-related security issues. Of course there are steps after that to really nail down security but, until people stop clicking on stupid shit, we're fighting a losing battle.

    • Re: (Score:3, Funny)

      by gEvil (beta) (945888)
      Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

      I can't wait till a link from the Idle section turns out to be serving up malware...
      • Does anyone read idle? There was a thing telling me idle was a complete waste of time and not to go there on the front page, so I opened up the preferences thing and made sure it didn't appear on the front page for me. Made Slashdot a lot better...
        • In case you haven't noticed, the editors are fond of sneaking Idle articles into the other sections... samzenpus, especially.

      • by corbettw (214229)

        That would be redundant as Idle is, itself, malware.

    • by QBasicer (781745)
      Or rather become rather grumpy and not 'like' anything, or anybody.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The thing about click jacking is you don't have to click on stupid shit. You could be clicking on something entirely legitimate, or so you think.

    • by Krneki (1192201)
      Curiosity kills the cat.

      P.S: Do we have to remind people that this shit work only on M$ platform?
    • Re:Advice (Score:5, Insightful)

      by bfields (66644) on Monday May 31, 2010 @11:43AM (#32407562) Homepage

      Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

      Just by doing that, internet/computer security would be vastly improved.

      Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

      Once a single mouse click on an infected link is enough to propagate the link, it's already game over--the choice of bait is a detail.

      • Re:Advice (Score:5, Insightful)

        by WrongSizeGlass (838941) on Monday May 31, 2010 @11:53AM (#32407684)

        Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

        You mean "This New Intel CPU Has A Great New Hologram! Check It Out!" won't work?

      • Re:Advice (Score:5, Funny)

        by vlm (69642) on Monday May 31, 2010 @12:06PM (#32407804)

        Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

        OK I'm all confused now. Just answer the question, is "Why Apple Is So Sticky" safe to click on or not?

      • by Vexorian (959249)
        Are you aware of any IQ tests mine could take?
    • Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

      Eh. From what I see, most people are on FB precisely because of it - people seem to like clicking on stupid shit.

    • Stop clicking on stupid shit.

      Absolutely. Don't click here [facebook.com]

    • Re:Advice (Score:5, Insightful)

      by Phroggy (441) <slashdot3@nOSPam.phroggy.com> on Monday May 31, 2010 @12:19PM (#32407926) Homepage

      Sometimes, stupid things are funny. I don't live in a bubble, and if my friends think something stupid is funny or interesting, I want to see it, because I care about what my friends think and because I find value in sharing an experience and because it might actually be worth my time.

      I don't have to use Facebook, but it's how a lot of my friends choose to communicate, and my social life is healthier because of it. Many of them aren't geographically close enough to see them in person often, and those that are don't always have a compatible schedule, so Facebook allows me to stay in contact with people I wouldn't otherwise be able to (indeed, I've reconnected with people on Facebook that I haven't seen in over a decade, who are on the other side of the globe).

      I think it's reasonable to expect that when I click a link to a web page, nothing bad should happen to me. In fact, nothing did happen - I'm not sure if that's because Facebook has already blocked this, or my browser has built-in security measures in place to prevent it, or (more likely) the exploit failed due to some bug or incompatibility. I looked at the HTML, saw what it was trying to do, saw that it was malicious, and went no further. That's how I WANT things to work.

      • > I think it's reasonable to expect that when I click a link to a web page,
        > nothing bad should happen to me.

        Why not shorten that to "I think it's reasonable to expect that nothing bad should happen to me"?

      • by antdude (79039)

        Can't you use e-mails, IMs, IRC, etc. instead? I was on Facebook, but was kicked off for using fake datas. I did NOT want Facebook to have my real datas.

        • by Phroggy (441)

          Can't you use e-mails, IMs, IRC, etc. instead?

          No, because many of my friends won't use them.

          • by antdude (79039)

            That sucks. Not even IMs and e-mails -- two common Internet things. Wow. :(

            • by Phroggy (441)

              That sucks. Not even IMs and e-mails -- two common Internet things. Wow. :(

              Some do use IM, which is fine if they happen to be online at precisely the same moment I am. And they generally can all receive e-mail, but they wouldn't send me e-mail for anything that wasn't really important; for just generally staying in touch it's not the medium of choice.

              I know, it seems crazy, because e-mail is such a huge part of our lives, but the unenlightened see things differently.

      • I think it's reasonable to expect that when I click a link to a web page, nothing bad should happen to me.

        It partially depends on what your idea of “bad” is. A line gets posted to your news feed saying that you “like” something. That could be mildly embarrassing but it’s not bad to the same degree as getting your computer rooted or stepping off the curb and getting hit by a truck.

  • I encountered this on Facebook a few minutes before seeing it on Slashdot. I'm not sure why, but it didn't work for me. Does Safari have any sort of built-in protections against this sort of thing? Or has Facebook blocked it already? Or did it just not work due to a bug somewhere?

    • Does Safari have any sort of built-in protections against this sort of thing?

      It's not MS IE?

    • I saw it too, and same thing. Safari wouldn't do anything with the click. But I'm running Safari Ad Block, Flash Block, and a couple other plug ins that may have stopped it.

    • by Firehed (942385)

      It definitely works in Safari, though it's possible that Facebook has blocked the problem links. That said, check your "my profile" page as it doesn't show up the homepage feed.

  • by Anonymous Coward

    This has been going on for weeks, I received three at least two weeks ago. It wasnt that hard to realize it was malicious; my sister doesnt tend to care about how other women eat bananas

    • Re: (Score:2, Interesting)

      by twidarkling (1537077)

      I figured it was probably malicious, but it was from a friend who's usually on the up-and-up, so I jacked up my security temporarily, and clicked. When I got the big white page with "click to continue," yeah, that's confirmation. Not a single one of those is in any way legit. Ever.

  • Fix is right here (Score:4, Informative)

    by vlm (69642) on Monday May 31, 2010 @12:02PM (#32407758)

    and offers advice on how to clean up affected Facebook profiles.

    No problemo, just click right here:

    http://www.facebook.com/group.php?gid=16929680703 [facebook.com]

    The title is "How to permanently delete your facebook account." Or, is it?

  • I got hit by this a few weeks ago, there was a similar 'Bet You Don't See...' item to Like. I had the impression it was going to be like the basketball/gorilla video, but it automatically invited all my friends, etc..there was no way (i could see) to not do it once you were sucked in.

    I 'reported' it (although the Facebook 'report' button is entirely inadequate for this), and encouraged the friend i got this from to as well..

    Why is this only coming up now? When i hit that page, it had already sucked in nearl

    • If something requires you to “like” it before you’ve even seen it, you should already not like it even one bit...

      P.S.
      This applies to real life in general, not just stupid Facebook pages.

      • I didn't... It got me to paste a URL into my browser (which of course i was suspect of, but d'uh..but it was rather sneaky about it, and i was tired at the time), and then it did its thing.

        I didn't actually ever click 'like', which is part of the problem...and that this is only getting attention now.

  • I saw a lot of my friends get hit by something just like it, including a rick-roll. Every one of them said they didn't click "like" on the rick-roll site, but it showed up as a like on facebook anyway. Who wouldn't be curious enough to want to click on a "FriendX likes you. [example.com]" link? Thankfully I have a habit of checking the URLs on unusual facebook links. The strange part was there were many different URLs for the "you", so it looked like a "distributed" attack (FB couldn't just search for one URL).
  • by dasunst3r (947970) on Monday May 31, 2010 @12:33PM (#32408058) Homepage

    Out of curiosity, I opened the link in a separate browser without my Facebook login. It would then try to do a "security check" in which you have to answer a survey to prove that you're human. Being the smart Slashdotters we are, we know Captchas are how it's done. The main take-away: (1) Hover, look, and think before you click and (2) If the link goes outside Facebook, it is SPAM and should be reported.

  • While opening a bunch of feed items (including this one) which included several different websites, I was prompted to download "like.php" which is a kind of thing that happens when websites set bad headers...

    None of my tabs failed to load, so I'm guessing this came from a rogue advert (?)

    I don't have a facebook account though, so I'm not worried.

  • They could have combined it with the "history stealing" exploit [asp.net], registered domains bananas.com [slashdot.org] and peaches.com [slashdot.org], and picked for each victim the "appropriate" site to like.
  • It is also worth pointing out another Facebook exploit which allows a page to 'run' Javascript on a Facebook page. It prompts the user to perform certain actions which copy-and-paste a 'javascript:' style URL to the address bar, and to click Enter to execute the Javascript. This also has the potential to spread fast by sharing it with all of your friends. See http://infinity-infinity.com/2010/05/facebook-exploit-social-engineering-javascript-injection/ [infinity-infinity.com].
  • To solve problems like this. No matter what Mark Z decides to Zuckerpunch my privacy settings into tomorrow or the next time he secretly changes them, or not matter what bullshit he opts me into, the rest of my webbrowsing (slashdot and wikipedia) will remain separate from FB's braindead "features".

    I already removed almost all my personal info of course, but facebook is simply too big to close completely. It would close off a useful service. Again, it's not that I object to FB trying to make a profit to sup

  • No more bees? (Score:1, Offtopic)

    by YrWrstNtmr (564987)
    Cellphone use gets rid of bees? Sweet! I have a couple of ground hives in the yard that need to go.

    The most common suggestion I've gotten - gasoline....:(
  • If you hover first over the web page, you can see what is clickable and what is not, if the whole webpage looks like one big url link to be clicked, then flag goes up in MY head...so don't click, but i think with javascript there are ways to even eliminate the hover click icon for x, y position and make it avalable only between the points....i may be wrong though, my javascript is a bit rusty....i think it was a x , y point element you had to set....anyhow...still gives you a heads up if there was no real c

    • Yes, it’s the cursor CSS style and you don’t really need Javascript unless you want to change it dynamically (i.e. change it to a hand inside a box region while making it a default pointer everywhere else).

      However your rule of “if the whole webpage looks like one big url link to be clicked, then flag goes up in MY head” is rather inadequate because they could just as easily make the sticky iframe only follow your mouse when it’s inside the box region that would normally corresp

You are an insult to my intelligence! I demand that you log off immediately.

Working...