Facebook not doing enough to prevent clickjacking attacks, say users


Facebook not doing enough to prevent clickjacking attacks, say users

Warwick Ashford

Clickjacking worms are becoming an increasing problem on Facebook, and most people believe the firm is not doing enough to combat the problem, a poll by security firm Sophos has revealed.

Some 95% of people polled said Facebook should be doing more to prevent exploits of the "like" button facility.

Clickjacking involves tricking Facebook users into clicking on a link, which then automatically updates that user's Facebook page to say that they "like" a third-party web page.

This update is automatically shared with the user's Facebook friends via the website's newsfeed, helping the attacks to spread rapidly across the social network.

The latest attack was aimed at tricking Facebook users into "liking" a webpage entitled "101 Hottest Women in the World" using an image of actress Jessica Alba.

Although the attacks are yet to deliver malicious payloads, they demonstrate an exploitable weakness in the way that Facebook works, putting users at potential risk from further malware or phishing attacks, said Graham Cluley, senior technology consultant at Sophos.

"Facebook clearly hasn't been security-conscious enough in the implementation of its social 'like' plugin. This leaves the system open to abuse by spammers and scammers, and exposes users to the risk of outside threats," he said.

According to Cluley, one solution would be for Facebook to implement ways for members to make a more conscious decision as to whether they want to "like" third-party content or not.

Facebook could have a pop-up box asking whether users are sure they want to "like" a particular page, or offering the option to disable the third-party "like" feature entirely, he said.

"What is clear is that Facebook needs to set up a proper early-warning system to alert users about breaking threats. It seems wrong that the only place where Facebook users can read about the latest attacks is on the pages run by security vendors on Facebook, rather than Facebook's own security pages," said Cluley.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy