Researcher posted an example of a working worm code for Facebook
One group is already abusing this problem by placing spam on users' walls.
In late December, a Polish security researcher published details and an example of a working code that can be used to create a worm with all the necessary features for Facebook.
This code exploits the vulnerability of the Facebook platform, the abuse of which by a group of spammers was observed by a Polish researcher using the pseudonym Lasq on the Internet . The vulnerability is hidden in the mobile version of the pop-up dialogue, offering to share information with other users. There is no vulnerability on the desktop.
Lasq says that the vulnerability based on the Click-Jacking, exists in the mobile version of the share dialog, which the attacker uses through the iframe elements. The group of spammers, which, apparently, discovered this vulnerability before Lasq, uses it to place links to the walls of Facebook users.
As explained Lasq :
Yesterday a very annoying spam campaign took place on Facebook, during which many of my friends published a link that opened the AWS website. It was some kind of French comic book website - so who would not click on this link?
And after clicking on the link, a site appeared posted on AWS. He asked you to confirm that you are over 16 years old (in French) in order to gain access to the content. After clicking on the button, you really were sent to a page with a comic book and a bunch of ads. But at the same time, the link that you followed appeared on your Facebook wall.
The researcher said that he got to the heart of the problem, and it is that Facebook ignores the X-Frame-Options header in the share dialog in the mobile version. According to the documentation for MDN approved by the web industry, this header is used by sites to prevent their code from loading inside the iframe, and is the main protection against clickjacking.
Lasq said it had reported this issue on Facebook, but the company refused to correct it.
“As expected, Facebook did not consider this a problem, despite the fact that I was trying to explain what security implications it has,” he said. “They said that in order to consider clickjacking a security problem, the attacker should be able to change the account status (for example, disable security settings or delete the account).”
“In my opinion, they should fix it,” the researcher added. - As you can see, it will be extremely easy for an attacker to abuse this “feature” by deceiving people into sharing something on the wall. It is impossible to exaggerate the danger of such a possibility. Today, it is used for spam, but I can easily imagine more complex uses of this technology. ”
The researcher claims that this technique allows attackers to create self-propagating messages containing links to malicious or phishing sites.
In response to the appeal of ZDNet, Facebook said that they did not see this as a problem, as was the case with Lasq.
“We are grateful for the information received from this researcher, and at the moment we have begun work on this issue,” a Facebook representative said. “We have built in the possibility of a mobile version of the share dialogue in the iframe so that people can use it on third-party websites.”
“To prevent abuse of this function, we use clickjack detection systems for all products embedded in the iframe. We are constantly improving these systems based on the signals we receive, they told us on Facebook. “Regardless of this report, this week we have already improved the clickjacking detection system, which negates the risks described in the researcher’s report.”
The code from Lasq did not contain the part related directly to clickjacking, which places messages on users' walls, but a simple search on the Internet will give any attacker all the details and an example of the code needed to create it and add it to the published example. The code from Lasq allows an attacker to download and run third-party unauthorized code in a Facebook user account.