Researcher demos clickjacking attack on Facebook

An Israeli security researcher has found a way to perpetrate so-called clickjacking attacks on Facebook, proving that it's trivial to manipulate the social network's security and privacy mechanisms.

A demo exploit released by Shlomi Narkolayev shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

In the example (see video below), Narkolayev demonstrates the clickjacking attack on a Facebook user who is logged into the site.

[ SEE: Clickjacking: Researchers raise alert for scary new cross-browser exploit ]

Here's the explanation:

I could write malicious application that steals users personal info or even simple application that build for me a bot net users for malicious purposes like hacking systems for SQL Injections and DDOS attacks.

Using ClickJacking i also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that posting their web camera and microphone every time they connected to Facebook - Just use your imagination on what you want others to click on.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Narkolayev also released a demo exploit that overlays a blank page over Google's search page, making the clicked link invisible to the target.