In association with heise online

02 June 2010, 17:44

Click-jacking for social networks: Like-jacking

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

AV vendor Sophos reports in their blog that last weekend several hundred thousand Facebook users fell victim to a click-jacking attack by inadvertently clicking on a hidden "Like" button on a specially crafted page.

Once the button was clicked, a message (for example "User Noob likes LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.") was posted to the user's news feed, which is visible to other users. Other users clicking on the news feed link in Facebook also landed on the click-jacking page – Sophos compares the way the link spreads to that of a worm and has, therefore, called the attack a click-jacking worm. A similar attack was launched on Twitter in early 2009.

In the current case, unknown attackers used an invisible iFrame to load Facebook's "Like" button on top of another page. Believing that they clicked on an item on the visible page, users instead clicked on elements in the transparent iFrame. Sophos recommends that affected users delete the dubious pages from their own news feed in their Facebook profiles. The exact purpose of the click-jacking attack remains unclear. In principle, this could be a fast way for criminals to deploy links to specially crafted web pages that infect visitors' computers with trojans.

The attacks can be prevented by instructing the web server of the trusted page to send the "X-FRAME-OPTIONS:DENY" header to the browser, which prevents (invisible) pages from being displayed in a frame. However, only very recent browsers such as Internet Explorer 8, Safari 4 or Chrome 2 understand this option. Firefox is scheduled to offer this functionality in a future version.

Despite repeated reports that high traffic pages such as, and are now protected against click-jacking, it appears that in practice this isn't the case. Many pages (which are loaded into iFrames) try to use JavaScript to prevent click-jacking attacks. Self protection is available via the NoScript plug-in for Firefox with its ClearClick function.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit