14 June 2010, 17:41

Facebook worms are spreading freely

Wherever you click on the page - the iFrame with the button for posting the link is right underneath (not so here at The H ;-). A new worm is spreading rapidly via Facebook. The cause is a problem disclosed weeks ago which Facebook seems unable to fix. As a result, there has been another wave of crafted status messages – this time they refer to a web page which allegedly presents the "101 hottest women in the world".

Those who click on the link are directed to a fairly neutral page with a picture of Jessica Alba and the message "Click here to continue". At this point nothing bad has happened, however, in the background the web page has opened an iFrame which posts the link to Facebook. This works because users are already logged into Facebook when they read their messages. Usually, though, a further click on the "Share" button is also required.

XYZ likes the 101 Hottest Women in the World

This button does appear in the iFrame – but it is invisible, and a few lines of script code keep shifting it right underneath the mouse pointer. Wherever users click on the page, their click will confirm the posting of the link. The link then appears in Facebook for everyone to see and take an interest – if only to gloat over the sender having fallen for the exploit.

Only the sources reveal the tell-tale code. The basic problem has been known for several weeks and Facebook has been hit by waves of attacks exploiting the flaw. Those who want to protect themselves can, at least in Firefox, enable the NoScript extension. This extension not only filters out JavaScript, it also detects transparent iFrames and warns of potential "clickjacking attacks". However, false alarms may occasionally be triggered. Users who have accidentally clicked on the link should check their profiles to see whether they are also spreading the infection. Incidentally, the user profile also offers a way of removing the link to prevent further damage.