Researcher Demonstrates Facebook Worm Attack That Spams Your Wall With A Clickjack Bomb

We have all seen it on Facebook -- one of your friends “shares” a link to a new shake that will help you lose ten pounds in two days or a code to get suspiciously discounted Ray-Bans. Thankfully, most of these posts are obviously spam. Unfortunately, hackers are finding more ways to post annoying and potentially dangerous content. One researcher recently discovered a proof-of-concept Facebook worm that posts unwanted spam links.

A Polish security researcher, who goes by the pseudonym “Lasq”, was the first to find the issue. He noted that a number of his Facebook friends appeared to be posting a link to French comic site hosted on a Amazon Web Services (AWS) bucket. Users who clicked on the link were asked in French to verify their age and were then redirected to page with comics and ads. The same link was posted on a user’s Facebook wall after they clicked on it.

facebook smartphone

Lasq did a little digging and discovered that hackers were using a code that exploited the IFrame element of the Facebook mobile sharing dialog. An “IFrame” or “inline frame” is an HTML document embedded inside another HTML document. IFrames are frequently used to directly insert content from one source into another.

Facebook also had not set an X-Frame-Options header for the suspected spam site. An X-Frame-Options header can be used to determine whether a browser should be allowed to render a page. It is generally used to prevent code from being loaded into an IFrame.

Facebook instead allows mobile developers to “open the share dialog in an iframe on top of your website”. A pop-up confirmation was supposed to ask whether the user wanted to share the spam, but in this case it did not. Perhaps the spam’s “age verification” circumvented Facebook’s system. Lasq noted, “as this campaign proved, it is not very effective.”

lasq suspicious iframe code
Suspicious IFrame Code, Image from malfind.com 

Lasq reached out to Facebook, but they refused to patch the issue. Facebook argued that clickjacking, or the ability to hide harmful hyperlinks under seemingly benign content, is only an issue when it fundamentally alters an account. They also insisted that they are continuously improving their “clickjacking detection systems” to help prevent spam.

The proof-of-concept code Lasq found did not necessarily contain clickjacking elements, but could potentially incorporate them. Lasq is fearful that the hackers would do more damage in the future. He noted, “This time it was only exploited to spread spam, but I can easily think of much more sophisticated usage of this technique.”  

Facebook users are frequently a target of spammers and scammers. This past month, a number of websites advertised on Facebook convinced users to purchase cheap merchandise they never received. For example, a $549 Massdrop Vast 35-Inch Curved Gaming Monitor was being advertised for $69.98 USD. At least 300 people reported being defrauded by these scam websites. Facebook argues that they are continuously working to eliminate spam, but you can never be too careful online.