Social-networking site Facebook's recent changes have been made with the best of intentions. Unfortunately, they leave the door open to those whose motives are less than honourable, says Rik Ferguson.
In the past, the tabs that could be added to these pages have been set up in two ways: the first used the Facebook Markup Language (FBML) app. This app allowed page tabs to be created using static FBML or HTML. It wasn't particularly engaging, but it was very simple to use.
The second method for creating page tabs was by adding a custom Facebook app embedded inside a standard FBML tab. This approach meant the custom app could request external data from a third party and display it inside the page tab. It worked fine, but the external content was subject to many technical limitations, as it was all proxied through Facebook.
Facebook infrastructure changes
That process broke many things, including tracking pixels, JavaScript and Flash. In what looks like an attempt to make Facebook Pages more attractive to web developers, the platform has undergone a few changes.
So what is the big deal? Facebook now allows iFrames to be included inside Facebook apps on page tabs, so all that Facebook proxying can be avoided. While this change is probably great news for legitimate developers, it will undoubtedly also make life much easier for those with malicious intent.
These changes to the Facebook page infrastructure mean it is now possible to set up a Facebook page, create a default landing tab — the one you first see when you visit the page — and include an app that contains an iFrame.
That iFrame can, of course, contain JavaScript that immediately and without user interaction redirects you to any site it chooses. So, for example, it could send you to a page containing fake antivirus or a page where an exploit kit is waiting to infect you silently with malware.
iFrames have long been a favoured tool for cybercriminals. For several years now, iFrames have been injected by criminals into vulnerable legitimate websites that they are able to compromise. The iFrames are coded to be invisible to the naked eye and often contain nothing more than a heavily obfuscated simple JavaScript.
Facebook asks its developers to agree to a code of conduct. But when it comes to criminals, that's like taking a driving licence away from a joyrider.
The script has the net effect of redirecting unsuspecting visitors to these compromised sites. The redirection most often leads to pages hosting fake antivirus or servers hosting exploit kits. An exploit kit is designed to seek out vulnerabilities present on the computer that hits the criminal site and use them to install malware silently. This technique is known as a drive-by attack.
Exploit kits are becoming increasingly popular in criminal circles as they are very user-friendly, effective and simple to use. Their primary purpose is to aid in botnet recruitment.
Of course Facebook asks its developers to agree to a code of conduct that prohibits such activities. But when it comes to criminals, that's a bit like taking a driving licence away from a joyrider.