Researcher demos clickjacking attack on Facebook

Summary:A demo exploit shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

An Israeli security researcher has found a way to perpetrate so-called clickjacking attacks on Facebook, proving that it's trivial to manipulate the social network's security and privacy mechanisms.

A demo exploit released by Shlomi Narkolayev shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

In the example (see video below), Narkolayev demonstrates the clickjacking attack on a Facebook user who is logged into the site.

[ SEE: Clickjacking: Researchers raise alert for scary new cross-browser exploit ]

Here's the explanation:

I could write malicious application that steals users personal info or even simple application that build for me a bot net users for malicious purposes like hacking systems for SQL Injections and DDOS attacks.

Using ClickJacking i also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that posting their web camera and microphone every time they connected to Facebook - Just use your imagination on what you want others to click on.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Narkolayev also released a demo exploit that overlays a blank page over Google's search page, making the clicked link invisible to the target.

Topics: Security, Social Enterprise

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.