Researcher publishes proof-of-concept code for creating Fb worm

Researcher publishes proof-of-concept code for creating Facebook worm


A Polish safety researcher has revealed right this moment particulars and proof-of-concept code that may very well be used for creating a totally useful Fb worm.

This code exploits a vulnerability within the Fb platform that the researcher –who goes on-line underneath the pseudonym of Lasq— has seen being abused within the wild by a Fb spammer group.

The vulnerability resides within the cell model of the Fb sharing dialog/popup. The desktop model is just not affected.

Lasq says {that a} clickjacking vulnerability exists on this cell sharing dialog that an attacker can exploit by means of iframe components. The spammer group who seems to have discovered this difficulty earlier than Lasq has been (ab)utilizing this vulnerability to put up hyperlinks on folks’s Fb partitions.

Lasq explains:

So, yesterday there was this very annoying SPAM marketing campaign on Fb, the place plenty of my buddies revealed a hyperlink to what appeared like a web site hosted on AWS bucket. It was some hyperlink to a french web site with humorous comics, who would not click on it proper?

After you clicked on the hyperlink, the location hosted on AWS bucket appeared. It requested you to confirm in case you are 16 or older (in French) with the intention to entry the restricted content material. After you clicked on the button, you have been certainly redirected to a web page with humorous comedian (and plenty of adverts). Nevertheless within the meantime the identical hyperlink you simply clicked appeared in your Fb wall.

The researcher mentioned he tracked down the problem on the coronary heart of this downside to Fb ignoring the “X-Body-Choices” safety header for the cell sharing dialog. Based on the industry-approved MDN net docs, this header is utilized by websites to forestall their code from being loaded inside iframes, and is a main safety towards clickjacking assaults.

Lasq mentioned he reported the problem to Fb, however the firm declined to patch it.

“As anticipated Fb declined the problem, regardless of me making an attempt to underline that this has safety implications,” he mentioned. “They said that for the clickjacking to be thought of a safety difficulty, it should permit attacker to one way or the other change the state of the account (so for instance disable safety choices, or take away the account).”

“For my part they need to repair this,” the researcher added. “As you’ll be able to see this ‘characteristic’ may be extraordinarily simply abused by an attacker to trick Fb customers to unwillingly share one thing on their wall. I can’t stress sufficient how harmful that is. This time it was solely exploited to unfold spam, however I can simply consider rather more refined utilization of this system.”

The researcher argues that this system permits risk actors to simply concoct self-propagating messages that unfold malware or phishing websites.

Contacted by ZDNet, Fb performed down the problem, as they did with Lasq.

“We respect the researcher’s report and the time he put into engaged on this,” mentioned a Fb spokesperson. “We constructed the present capability for the cell social plugin/share dialog to be iframed to allow folks to have built-in Fb sharing experiences on third celebration web sites.”

“To assist stop abuse, we use clickjacking detection methods for any iframeable plugin product. We repeatedly enhance these methods based mostly on indicators we observe,” Fb advised us. “Independently of this report, earlier this week we made enhancements to our clickjacking detections that mitigate the dangers described within the researcher’s report.”

Facet word: Lasq’s code would not embrace the clickjacking half, the one which posts content material on folks’s partitions, however a easy web search would supply any unhealthy actor with the main points and pattern code to construct that half and add it to the present PoC. Lasq’s code solely permits an attacker to load and run unauthorized code from an attacker on a Fb consumer’s account.

Extra cybersecurity protection:

Supply hyperlink


This site uses Akismet to reduce spam. Learn how your comment data is processed.