95% say Facebook needs to do more to fight clickjacking worms, poll reveals

Filed Under: Clickjacking, Facebook, Malware, Social networks, Spam

Facebook isn't doing enough to protect members from a recent spate of clickjacking attacks on the popular social networking site.

That's the verdict of 95% of the 600 people we polled overnight after the latest attack that struck the social network, tricking users into 'liking' a webpage entitled '101 Hottest Women in the World'.

Facebook clickjacking poll

The scams, dubbed 'likejacking' by Sophos, exploit the 'Like' button facility by automatically updating a user's Facebook status to 'like' a third party webpage without the user realising that they have clicked a button at all.

The update is then automatically shared with a user's Facebook friends via the website's newsfeed, helping the attacks to spread rapidly across the social network.

101 Hottest Women in the World clickjacking attack

Although the attacks are yet to deliver malicious payloads, they demonstrate an exploitable weakness in the way that Facebook works, putting users at potential risk from future malware or phishing attacks.

Paramore n-a-k-ed photo leaked! malicious clickjacking message

Facebook clearly hasn't been security-conscious enough in the implementation of its social 'Like' plugin. This leaves the system open to abuse by spammers and scammers, and can expose users to the risk of outside threats.

Facebook clickjacking attack: Girl gets owned after a police officer reads her status message

One solution would be for Facebook to implement ways for members to make a more conscious decision as to whether they want to 'Like' third-party content or not. By having a pop-up box asking whether users are sure they want to 'Like' a particular page, or offering the option to disable the third-party 'Like' feature entirely, the spread of these attacks would be much easier to control.

Furthermore, it's clear that Facebook needs to set up a proper early-warning system to alert users about breaking threats. It seems wrong that the only place where Facebook users can read about the latest attacks is on the pages run by security vendors on Facebook , rather than Facebook's own security pages.

Interested in learning more? You can read about the "likejacking" problem affecting Facebook and - if you're a regular user of the social networking site - be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.

Note: Please bear in mind that this poll is not scientific and is provided for information purposes only. Sophos makes no guarantees about the accuracy of the results other than that they reflect the choices of the users who participated.

, , , ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.