Click-jacking for social networks: Like-jacking
AV vendor Sophos reports in their blog that last weekend several hundred thousand Facebook users fell victim to a click-jacking attack by inadvertently clicking on a hidden "Like" button on a specially crafted page.
Once the button was clicked, a message (for example "User Noob likes LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.") was posted to the user's news feed, which is visible to other users. Other users clicking on the news feed link in Facebook also landed on the click-jacking page – Sophos compares the way the link spreads to that of a worm and has, therefore, called the attack a click-jacking worm. A similar attack was launched on Twitter in early 2009.
In the current case, unknown attackers used an invisible iFrame to load Facebook's "Like" button on top of another page. Believing that they clicked on an item on the visible page, users instead clicked on elements in the transparent iFrame. Sophos recommends that affected users delete the dubious pages from their own news feed in their Facebook profiles. The exact purpose of the click-jacking attack remains unclear. In principle, this could be a fast way for criminals to deploy links to specially crafted web pages that infect visitors' computers with trojans.
The attacks can be prevented by instructing the web server of the trusted page to send the "X-FRAME-OPTIONS:DENY" header to the browser, which prevents (invisible) pages from being displayed in a frame. However, only very recent browsers such as Internet Explorer 8, Safari 4 or Chrome 2 understand this option. Firefox is scheduled to offer this functionality in a future version.
- Clickjacking 2.0 with drag & drop, a report from The H.
- Clickjacking problem in browsers persists, a report from The H.