Facebook 'clickjacking' traps hundreds of thousands of users

Posted by Emma Woollacott

We really hope that if a Facebook friend of yours said they 'liked' a link labeled 'Justin Bieber's phone number', you wouldn't be tempted to click on it.

But according to security experts, hundreds of thousands of Facebook users are falling victim to this and other 'clickjacking' attacks. Clicking the link automatically recommends it to all the user's friends too.

The latest temptation, says Sophos senior technology consultant Graham Clueley, is 'Paramore n-a-k-ed photo leaked!' - which purports to link to a nude photo of lead singer Hayley Williams.

Clicking the link takes users to a third-party website which asks them to confirm that they are over 18.

"What the hackers have actually done is very sneaky. They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked," explains Clueley.

"As a consequence, when you click with the mouse you're also secretly clicking on a button which tells Facebook that you 'like' the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally."

All the attacks seem to be doing at present is getting as many people as possible to 'like' the links. But they could, Sophos warns, be used to spread malware.

Richard Cohen of Sophos Canada says that Facebook's own documentation tells developers how to get users to 'like' their links.
"Reading this documentation makes it clear quite how obvious a target all this is to those with a nefarious bent, and I’d expect to see a lot more of this in the future," he says.

And Clueley adds, "It's clear that Facebook needs to tighten up the way it handles the 'liking' of external webpages before it is even more widely abused by malicious hackers and spammers."