Social-networking site Facebook's recent changes have been made with the best of intentions. Unfortunately, they leave the door open to those whose motives are less than honourable, says Rik Ferguson.
Facebook has made some important changes to the way Facebook Pages — the fan pages set up by brands, bands and even cucumbers — can be created.
In the past, the tabs that could be added to these pages have been set up in two ways: the first used the Facebook Markup Language (FBML) app. This app allowed page tabs to be created using static FBML or HTML. It wasn't particularly engaging, but it was very simple to use.
The second method for creating page tabs was by adding a custom Facebook app embedded inside a standard FBML tab. This approach meant the custom app could request external data from a third party and display it inside the page tab. It worked fine, but the external content was subject to many technical limitations, as it was all proxied through Facebook.
So what is the big deal? Facebook now allows iFrames to be included inside Facebook apps on page tabs, so all that Facebook proxying can be avoided. While this change is probably great news for legitimate developers, it will undoubtedly also make life much easier for those with malicious intent.
These changes to the Facebook page infrastructure mean it is now possible to set up a Facebook page, create a default landing tab — the one you first see when you visit the page — and include an app that contains an iFrame.
No more need for 'clickjacking' — tricking users into posting a Facebook status update — and no more having to persuade users to install your app. If a criminal can make the bait sweet enough just to get you to visit the page, that is all they will require to start the chain that leads to your computer being compromised and used for criminal purposes.
Facebook asks its developers to agree to a code of conduct. But when it comes to criminals, that's like taking a driving licence away from a joyrider.
The script has the net effect of redirecting unsuspecting visitors to these compromised sites. The redirection most often leads to pages hosting fake antivirus or servers hosting exploit kits. An exploit kit is designed to seek out vulnerabilities present on the computer that hits the criminal site and use them to install malware silently. This technique is known as a drive-by attack.
Exploit kits are becoming increasingly popular in criminal circles as they are very user-friendly, effective and simple to use. Their primary purpose is to aid in botnet recruitment.
Of course Facebook asks its developers to agree to a code of conduct that prohibits such activities. But when it comes to criminals, that's a bit like taking a driving licence away from a joyrider.
Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.