Clickjacking Worm Exploits Facebook "Like" Feature

An anonymous reader writes "For the last 24 hours, a series of attacks have exploited Facebook's 'Like' feature through a clickjacking vulnerability. Using subjects such as 'This Girl Has An Interesting Way Of Eating A Banana, Check It Out!' hackers have spread an attack that links to web pages that use invisible iFrames to trick users into saying they like the content. Users are presented with a innocent-seeming web page that says 'Click here to continue,' but clicking at any point on the page publishes the same message to their own Facebook page. Security blogger Graham Cluley says that hundreds of thousands of Facebook users have been hit, and offers advice on how to clean up affected Facebook profiles.

Link?

[Ecuador]

I hate posts without proper links...
So, who will post the direct link to the girl with an interesting way of eating a banana?

Re:Link?

[DeadPixels]

Warning: This is a clickjacking attempt, obviously, so copy/paste the URL only if you want to see it for yourself. NoScript blocks it for me.

http://www.mprosperstats.info/bananalike/index.htm?ref=search&sid=dpf-GrMT3GTEEuQTlotyMg.3788977952..1

Re:

[hduff]

So is there a safe link to the bananna-eating girl pic? Just asking as a public service since it seems a lot of people want to see it.

Re:

[Anonymous Coward]

Probably NSFW depending how up tight your boss is:
http://www.youtube.com/watch?v=It7cHFyms0Q [youtube.com]

Re:

[2obvious4u]

If it wasn't for the "porn pros" watermark on the video and the title "world's best deep throat" it would be just fine for work. The video itself is safe, it is just a fully clothed blonde eating a very large banana in one bite.

Re:

[Dumnezeu]

404

Re:

[alvinrod]

You fool, there is no girl eating a banana. It was all a ruse, a nasty trick designed to play on your insatiable curiosity for the bizarre!

I know because I tried clicking on it :(

Reminds me of this bash.org quote. [bash.org]

Re:

[Dogtanian]

Reminds me of this bash.org quote.

That's a great quote, so I kind of feel like a bastard for spoiling it, but... P2P programs generally recognise identical files by their hash value; so if the guy simply renamed some files that were already out there under their original name, they'd have used his copy for certain parts, even if people didn't search under it for that name.

Re:

[HolyCrapSCOsux]

So...
Couldn't one just find out the hash values of the pieces of the files they are downloading and generate random data until the hash value matches?

Slow, yes.
Generating a movie randomly? Priceless..

Re:Link?

[Low Ranked Craig]

The banana is a lie!

Re:

[DarkOx]

No the banana is real I assure you; the girl is the lie.

Re:

[Anonymous Coward]

So, who will post the direct link to the girl with an interesting way of eating a banana?

I will. Here it is. [glumbert.com]

That video's got to be at least 3 years old, and I'm still impressed.

Re:

[Lythrdskynrd]

you see THIS http://i48.tinypic.com/10h8t2p.jpg [tinypic.com] before you fill in the survey and this http://i47.tinypic.com/260pmpk.png [tinypic.com] after. essentially it's a screenshot from lamebook.com

I was afraid to click the link...

[Robin47]

after that article.

Re:

[Flea of Pain]

Flea of Pain like this.

caterpillar

[kervin]

Why does the Slashdot section on worms have a picture of a crawling caterpillar?

Re:caterpillar

[WrongSizeGlass]

Why does the Slashdot section on worms have a picture of a crawling caterpillar?

They do it just to bug people ;-)

Re:

[maxume]

If it helps, those are often called inchworms.

Re:

[Tim C]

In the US perhaps; I've never heard the term here in the UK - not that I talk about caterpillars very often of course...

Re:

[SnowZero]

According to wikipedia, they are the caterpillar form of the geometer moth [wikipedia.org], which are commonly called loopers, spanworms, or inchworms. There are apparently 300 varieties in the UK and over 1200 in North America, so it seems to be pretty common both places.

Re:

[sakdoctor]

The big hungry inchworm wouldn't have sold nearly so well.

Re:

[nospam007]

In the US perhaps; I've never heard the term here in the UK.

You got metric, it's the common 2,54cm worm.

Re:

[clone53421]

Pff. Give worms an inch and they’ll take a mile.

Re:

[FooAtWFU]

Why does the Slashdot section on worms have a picture of a crawling caterpillar?

Because it's cute and fuzzy, obviously. Also, I like pretty butterflies. ./~ <3

NoScript

[SlashDPC]

Thank you NoScript for stopping this for me. I knew it looked "phishy."

Re:NoScript

[bwcbwc]

Better yet, use NoScript's ABE facility to block any non-Facebook web page from loading a Facebook page or API. From http://noscript.net/abe/ [noscript.net] :

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Re:NoScript

[Anonymous Coward]

Here's the line from my unbound.conf that solves all Facebook related problems for me:
local-zone: "facebook.com." static
followed by no local-data lines.
I see "address not found" error messages on lots of web pages: Facebook iframes are freaking everywhere. No more.

Re:

[asdf7890]

I've just tried this with the latest NoScript in an otherwise default configuration, and it seems stop facebook itself from operating (which depending on your opinion of such things, may or may not be a bad result!).

Re:

[sdstuart]

The .com was left off in the "Accept from" list. Try this version with it added, it works for me. # This one allows Facebook scripts and objects to be included only # from Facebook pages Site .facebook.com .fbcdn.net Accept from .facebook.com .fbcdn.net Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Re:

[asdf7890]

Ah, thanks. I did a quick scan for typos but somehow completely missed that one. Your edited version does the trick, thanks.

Re:

[smcn]

A similar technique for Privoxy users can be found here: http://bmearns.net/wwk/view/Privoxy [bmearns.net]

By default it only stops cookies. At the bottom of the page it is explained how to block all Facebook access from third party sites.

Re:

[clone53421]

Thanks, I’ll be blocking those domains in AdBlock now...

facebook.com$third-party,domain=~fbcdn.net
fbcdn.net$third-party,domain=~facebook.com

That should ensure that content from both domains will work together on the Facebook site itself... I’ll have to wait until I get home to actually test them, though.

(I knew facebook.com obviously but I also knew there was a 2nd domain that I didn’t remember off the top of my head.)

Oh, and here’s a freebie (it got used on this page, in fact):

#a(hr

Re:

[clone53421]

Strike that, seems that these are the required filters. The ones I posted earlier don’t seem to do anything.

||facebook.com^$third-party,domain=~fbcdn.net
||fbcdn.net^$third-party,domain=~facebook.com

Re:

[noncaptusest]

NoScript rocks. Being using it for a long time and will be for time to come

Re:

[snl2587]

Reason #1 why I refuse to switch to Chrome.

Re:

[0100010001010011]

About that...

Re:

[snl2587]

Not in a way that isn't a complete pain in the ass for frequent surfing. Plus, it doesn't support deep control or even come close to preventing click-jacking on pages you allow.

Re:

[snl2587]

Deep control is totally unnecessary and only highly slows down page rendering times.

Interesting that you seem to know exactly what my needs are. The primary reason I use NoScript is to block JavaScript beyond page-level. The Chrome feature you're referencing is far too heavy-handed for my needs.

So going back to the original statement, I'll gladly continue to use Firefox for surfing while I'll keep using Chrome as part of my development toolset.

Advice

[whisper_jeff]

Graham Cluley ... offers advice on how to clean up affected Facebook profiles

Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

Just by doing that, internet/computer security would be vastly improved. Once all of our moms and computer-illiterate uncles learn that one little gem, we'll be a long ways towards solving most of the computer-related security issues. Of course there are steps after that to really nail down security but, until people stop clicking on stupid shit, we're fighting a losing battle.

Re:

[gEvil (beta)]

Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

I can't wait till a link from the Idle section turns out to be serving up malware...

Re:

[TheRaven64]

Does anyone read idle? There was a thing telling me idle was a complete waste of time and not to go there on the front page, so I opened up the preferences thing and made sure it didn't appear on the front page for me. Made Slashdot a lot better...

Re:

[mister_playboy]

In case you haven't noticed, the editors are fond of sneaking Idle articles into the other sections... samzenpus, especially.

Re:

[corbettw]

That would be redundant as Idle is, itself, malware.

Re:

[QBasicer]

Or rather become rather grumpy and not 'like' anything, or anybody.

Re:

[Anonymous Coward]

The thing about click jacking is you don't have to click on stupid shit. You could be clicking on something entirely legitimate, or so you think.

Re:

[Krneki]

Curiosity kills the cat.

P.S: Do we have to remind people that this shit work only on M$ platform?

Re:Advice

[Khyber]

"P.S: Do we have to remind people that this shit work only on M$ platform?"

iFrame malware isn't *JUST* a Windows issue. Think harder next time.

Re:Advice

[bfields]

Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

Just by doing that, internet/computer security would be vastly improved.

Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

Once a single mouse click on an infected link is enough to propagate the link, it's already game over--the choice of bait is a detail.

Re:Advice

[WrongSizeGlass]

Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

You mean "This New Intel CPU Has A Great New Hologram! Check It Out!" won't work?

Re:Advice

[vlm]

Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

OK I'm all confused now. Just answer the question, is "Why Apple Is So Sticky" safe to click on or not?

Re:

[ObsessiveMathsFreak]

It's Juicy.

Re:

[clone53421]

Not while you’re at work.

Re:

[Culture20]

Eh. The scammers use "stupid shit" as the bait because that's what works. If "intelligent shit" started attracted the most clicks, they'd start using that instead.

It is, however, much, much harder to create intelligent shit than stupid shit. Which is not to say it's particularly hard to create mildly intelligent shit, it's just so damn easy to create stupid shit these days. Five seconds of randomly reading Facebook will show you what I mean.

s/Facebook/\/./
FTFY

Re:

[Vexorian]

Are you aware of any IQ tests mine could take?

Re:

[solaraddict]

Here. I'll offer the simplest advice you can get: Stop clicking on stupid shit.

Eh. From what I see, most people are on FB precisely because of it - people seem to like clicking on stupid shit.

Re:

[fustakrakich]

Stop clicking on stupid shit.

Absolutely. Don't click here [facebook.com]

Re:Advice

[Phroggy]

Sometimes, stupid things are funny. I don't live in a bubble, and if my friends think something stupid is funny or interesting, I want to see it, because I care about what my friends think and because I find value in sharing an experience and because it might actually be worth my time.

I don't have to use Facebook, but it's how a lot of my friends choose to communicate, and my social life is healthier because of it. Many of them aren't geographically close enough to see them in person often, and those that are don't always have a compatible schedule, so Facebook allows me to stay in contact with people I wouldn't otherwise be able to (indeed, I've reconnected with people on Facebook that I haven't seen in over a decade, who are on the other side of the globe).

I think it's reasonable to expect that when I click a link to a web page, nothing bad should happen to me. In fact, nothing did happen - I'm not sure if that's because Facebook has already blocked this, or my browser has built-in security measures in place to prevent it, or (more likely) the exploit failed due to some bug or incompatibility. I looked at the HTML, saw what it was trying to do, saw that it was malicious, and went no further. That's how I WANT things to work.

Re:

[John Hasler]

> I think it's reasonable to expect that when I click a link to a web page,
> nothing bad should happen to me.

Why not shorten that to "I think it's reasonable to expect that nothing bad should happen to me"?

Re:

[antdude]

Can't you use e-mails, IMs, IRC, etc. instead? I was on Facebook, but was kicked off for using fake datas. I did NOT want Facebook to have my real datas.

Re:

[Phroggy]

Can't you use e-mails, IMs, IRC, etc. instead?

No, because many of my friends won't use them.

Re:

[antdude]

That sucks. Not even IMs and e-mails -- two common Internet things. Wow. :(

Re:

[Phroggy]

That sucks. Not even IMs and e-mails -- two common Internet things. Wow. :(

Some do use IM, which is fine if they happen to be online at precisely the same moment I am. And they generally can all receive e-mail, but they wouldn't send me e-mail for anything that wasn't really important; for just generally staying in touch it's not the medium of choice.

I know, it seems crazy, because e-mail is such a huge part of our lives, but the unenlightened see things differently.

Re:

[clone53421]

I think it's reasonable to expect that when I click a link to a web page, nothing bad should happen to me.

It partially depends on what your idea of “bad” is. A line gets posted to your news feed saying that you “like” something. That could be mildly embarrassing but it’s not bad to the same degree as getting your computer rooted or stepping off the curb and getting hit by a truck.

Didn't work for me

[Phroggy]

I encountered this on Facebook a few minutes before seeing it on Slashdot. I'm not sure why, but it didn't work for me. Does Safari have any sort of built-in protections against this sort of thing? Or has Facebook blocked it already? Or did it just not work due to a bug somewhere?

Re:

[WrongSizeGlass]

Does Safari have any sort of built-in protections against this sort of thing?

It's not MS IE?

Re:

[ducomputergeek]

I saw it too, and same thing. Safari wouldn't do anything with the click. But I'm running Safari Ad Block, Flash Block, and a couple other plug ins that may have stopped it.

Re:

[Firehed]

It definitely works in Safari, though it's possible that Facebook has blocked the problem links. That said, check your "my profile" page as it doesn't show up the homepage feed.

Interesting, but...

[Anonymous Coward]

This has been going on for weeks, I received three at least two weeks ago. It wasnt that hard to realize it was malicious; my sister doesnt tend to care about how other women eat bananas

Re:

[twidarkling]

I figured it was probably malicious, but it was from a friend who's usually on the up-and-up, so I jacked up my security temporarily, and clicked. When I got the big white page with "click to continue," yeah, that's confirmation. Not a single one of those is in any way legit. Ever.

Re:

[dsoltesz]

Yeah... one of my friends, who usually finds entertaining stuff, "like" the prom dress page. He's intelligent and computer savvy. I'm probably intelligent and even more computer savvy, but the combo of my friend posting that title got me. The real "stupid shit" that folks are clicking is the giant "click here to continue" on the page. That's where common sense says "time to hits the googles if ya really wanna know."

Re:

[alvinrod]

Hell, half of the world's population is below the median for competency. I'd wager more than half is below the mean. This is especially true regarding competency regarding computers and the internet.

The only reason it doesn't happen more often is that stupidity-exploiting malice seems to be supply limited at this time.

Fix is right here

[vlm]

and offers advice on how to clean up affected Facebook profiles.

No problemo, just click right here:

http://www.facebook.com/group.php?gid=16929680703 [facebook.com]

The title is "How to permanently delete your facebook account." Or, is it?

Related

[Sparton]

If you think that'll work, you might want a look at this...

http://www.theonion.com/articles/entire-facebook-staff-laughs-as-man-tightens-priva,17508/ [theonion.com]

New?

[Vegan Cyclist]

I got hit by this a few weeks ago, there was a similar 'Bet You Don't See...' item to Like. I had the impression it was going to be like the basketball/gorilla video, but it automatically invited all my friends, etc..there was no way (i could see) to not do it once you were sucked in.

I 'reported' it (although the Facebook 'report' button is entirely inadequate for this), and encouraged the friend i got this from to as well..

Why is this only coming up now? When i hit that page, it had already sucked in nearl

Re:

[clone53421]

If something requires you to “like” it before you’ve even seen it, you should already not like it even one bit...

P.S.
This applies to real life in general, not just stupid Facebook pages.

Re:

[Vegan Cyclist]

I didn't... It got me to paste a URL into my browser (which of course i was suspect of, but d'uh..but it was rather sneaky about it, and i was tired at the time), and then it did its thing.

I didn't actually ever click 'like', which is part of the problem...and that this is only getting attention now.

Culture20 likes you.

[Culture20]

I saw a lot of my friends get hit by something just like it, including a rick-roll. Every one of them said they didn't click "like" on the rick-roll site, but it showed up as a like on facebook anyway. Who wouldn't be curious enough to want to click on a "FriendX likes you. [example.com]" link? Thankfully I have a habit of checking the URLs on unusual facebook links. The strange part was there were many different URLs for the "you", so it looked like a "distributed" attack (FB couldn't just search for one URL).

Yep, saw it last night.

[dasunst3r]

Out of curiosity, I opened the link in a separate browser without my Facebook login. It would then try to do a "security check" in which you have to answer a survey to prove that you're human. Being the smart Slashdotters we are, we know Captchas are how it's done. The main take-away: (1) Hover, look, and think before you click and (2) If the link goes outside Facebook, it is SPAM and should be reported.

I think I just got targeted from an ad.

[undecim]

While opening a bunch of feed items (including this one) which included several different websites, I was prompted to download "like.php" which is a kind of thing that happens when websites set bad headers...

None of my tabs failed to load, so I'm guessing this came from a rogue advert (?)

I don't have a facebook account though, so I'm not worried.

Could have been worse...

[ArsenneLupin]

They could have combined it with the "history stealing" exploit [asp.net], registered domains bananas.com [slashdot.org] and peaches.com [slashdot.org], and picked for each victim the "appropriate" site to like.

Related exploit

[bbosh]

It is also worth pointing out another Facebook exploit which allows a page to 'run' Javascript on a Facebook page. It prompts the user to perform certain actions which copy-and-paste a 'javascript:' style URL to the address bar, and to click Enter to execute the Javascript. This also has the potential to spread fast by sharing it with all of your friends. See http://infinity-infinity.com/2010/05/facebook-exploit-social-engineering-javascript-injection/ [infinity-infinity.com].

This is why I have a separate FF profile for FB

[calmofthestorm]

To solve problems like this. No matter what Mark Z decides to Zuckerpunch my privacy settings into tomorrow or the next time he secretly changes them, or not matter what bullshit he opts me into, the rest of my webbrowsing (slashdot and wikipedia) will remain separate from FB's braindead "features".

I already removed almost all my personal info of course, but facebook is simply too big to close completely. It would close off a useful service. Again, it's not that I object to FB trying to make a profit to sup

No more bees?

[YrWrstNtmr]

Cellphone use gets rid of bees? Sweet! I have a couple of ground hives in the yard that need to go.

The most common suggestion I've gotten - gasoline....:(

I usually....

[hesaigo999ca]

If you hover first over the web page, you can see what is clickable and what is not, if the whole webpage looks like one big url link to be clicked, then flag goes up in MY head...so don't click, but i think with javascript there are ways to even eliminate the hover click icon for x, y position and make it avalable only between the points....i may be wrong though, my javascript is a bit rusty....i think it was a x , y point element you had to set....anyhow...still gives you a heads up if there was no real c

Re:

[clone53421]

Yes, it’s the cursor CSS style and you don’t really need Javascript unless you want to change it dynamically (i.e. change it to a hand inside a box region while making it a default pointer everywhere else).

However your rule of “if the whole webpage looks like one big url link to be clicked, then flag goes up in MY head” is rather inadequate because they could just as easily make the sticky iframe only follow your mouse when it’s inside the box region that would normally corresp

Re:StoneLion

[tomhudson]

If you click on his name, it shows he's one of those social media guys. "Slight" would be an understatement, and understandably - it's his job.

Plus, Facebook is in the news for its' privacy screw-ups. They have less than 3 months left in their deal with the Canadian government to bring their site into compliance with Canadian law (which is what got the whole "Facebook has a privacy problem" thing going 9 months ago, and got other governments to then launch similar probes).

Re:

[tomhudson]

It's not that simple. Several European countries have followed our lead, and if Facebook doesn't comply, they face sanctions - and as we've seen in the news lately, that includes having their plug pulled in various countries, which certainly will affect both their revenue and their valuation.

What's Facebook worth if Canada, Europe, and chunks of South America all pull the plug? Way less than half, because the "network effect" cuts both ways.

It opens the doors for competitors that have better privacy p

Re:8===D O: == Muhammad

[DeadPixels]

The real problem isn't as much of an exploit so much as it is Facebook's platform for cross-site publishing is basically broken. They allow any site to act as the user with no confirmation other than a click, which as we've seen is easy to get via an invisible iFrame that follows the mouse. Aside from revamping the way they handle "Likes" and other such things on other sites, there's not much they can do to "fix" it.

Re:8===D O: == Muhammad

[RobVB]

There's something everyone can do to fix it for themselves, though: log off when you're done using Facebook. Of course, that makes it harder to tell your little friends about how you "heart" (sorry, Like) various things.

Re:

[hduff]

Much simpler to abandon security-plagued Facebook, the Windows 98 of social networking sites (myspace would be the Windows 95 equivalent).

Re:

[buchner.johannes]

and replace it with ... ?

Re:

[clone53421]

I want to know what domain to AdBlock on 3rd-party websites to block this sort of thing for good. Basically I want to disable all of Facebook’s javascripts that 3rd-party sites are trying to embed. If somebody knows off the top of their head, it’d be very helpful... but if not I guess I’ll have to figure it out myself. I’m not going to install NoScript, so don’t bother telling me to do that.

Fuck Facebook and its attempted invasion into every other part of my life. I like Facebo

Re:

[clone53421]

He used lowercase HTML! Burn the heretic!

Just kidding.